[dns-operations] Configurable TC=1?

Andrew Boling aboling at gmail.com
Thu Dec 24 03:30:59 UTC 2015


On Wed, Dec 23, 2015 at 9:07 PM, Roland Dobbins <rdobbins at arbor.net> wrote:

> On 24 Dec 2015, at 8:26, Robert Edmonds wrote:
>
> spoofed traffic from compromised "dedicated servers" sitting in data
>> centers?
>>
>
> This is by far the most significant set of attack initiators, IMHO.


Another one is customer owned open resolvers. No surprise there, but a
large number of these devices go on to forward the queries back into the
ISP's DNS servers. It defeats the receiving ISP's BCP38 implementation, and
the result is the ISP's DNS servers participating in attacks in a manner
similar to the protections not being in place. As if it weren't already
hard to objectively measure how well an ISP implements it.

It's useless prattling on my part, but it's interesting to me because the
lack of BCP38 on the transmitting side ends up being "laundered" by the
receiving party. Port 53 filters (similar to port 25 filters) becoming an
industry standard for residential customers is another part of the
solution, but it gets sticky because you then break anything customer owned
that assumes it needs to source all outbound queries on port 53.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151223/b035bae2/attachment.html>


More information about the dns-operations mailing list