nanog mailing list archives
Re: Malicious DNS request?
From: Brad Knowles <brad () stop mail-abuse org>
Date: Thu, 12 May 2005 17:48:27 +0200
At 11:26 AM -0400 2005-05-12, Valdis.Kletnieks () vt edu wrote:
It's often suggested that you have *two* DNS setups - one that only answers requests from inside for recursion and caching, and an authoritative one that faces out and refuses to recurse.
The original question from Joe Shen said that a remote computer was asking questions about certain servers, but did not specify whether or not the "remote computer" in question was a customer. Gadi's response was to refuse to answer requests for domains that you don't own, which didn't address the issue of whether or not the "remote computer" was a customer, or what kind of server that Joe was running.
Your answer is the complete and correct one, at least for the technical issue of how you should br running your nameservers so that you avoid external abuse and reduce the probability of having your DNS servers compromised.
It's taken us a while to get to this correct and complete answer, however. -- Brad Knowles, <brad () stop mail-abuse org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
Current thread:
- Malicious DNS request? Joe Shen (May 12)
- Re: Malicious DNS request? Suresh Ramasubramanian (May 12)
- Re: Malicious DNS request? Gadi Evron (May 12)
- Re: Malicious DNS request? Brad Knowles (May 12)
- Re: Malicious DNS request? Valdis . Kletnieks (May 12)
- Re: Malicious DNS request? Brad Knowles (May 12)
- Message not available
- Re: Malicious DNS request? Bill Stewart (May 15)
- Re: Malicious DNS request? Brad Knowles (May 12)
- <Possible follow-ups>
- Re: Malicious DNS request? Joe Shen (May 17)
- Re: Malicious DNS request? Paul Vixie (May 17)
- Network Mitigation Devices Kevin Billings (May 17)
- Microsoft broke MTU discovery by last security pathces?? Alexei Roudnev (May 17)
- Re: Microsoft broke MTU discovery by last security pathces?? Mike Tancsa (May 17)
- Re: Malicious DNS request? Paul Vixie (May 17)
- Re: Malicious DNS request? Brad Knowles (May 17)