nanog mailing list archives
Re: DNS DoS ???
From: Jimmy Hess <mysidia () gmail com>
Date: Sat, 30 Jul 2011 15:08:59 -0500
On Sat, Jul 30, 2011 at 11:33 AM, Drew Weaver <drew.weaver () thenap com>wrote:
And at this point he may as well just ACL in-front of the recursors to prevent the traffic from hitting the servers thus reducing load needed to reject the queries on the servers themselves.
A problem for providers of DNS recursive servers as a hosted service, is the client sender IP address may be dynamic and off-net. And the DNS protocol does not provide a method of authentication, or passing credentials from the client to the server to authorize the use of recursive DNS. This differs from SMTP. There really is no such thing as a "closed recursive resolver", except where unwanted queries are blocked by IP. All we really have is TSIG for such scenarios, and most client resolvers do not support loading the resolver with a secret key, in order to authorize recursive access. So it follows, that in a number cases, "closing recursive access" is not a good option. A good example, would be services such as OpenDNS. Regards, -- -JH
Current thread:
- Re: DNS DoS ???, (continued)
- Re: DNS DoS ??? Stefan Fouant (Jul 29)
- Re: DNS DoS ??? Thomas York (Jul 29)
- RE: DNS DoS ??? Drew Weaver (Jul 29)
- RE: DNS DoS ??? Blake T. Pfankuch (Jul 29)
- Re: DNS DoS ??? Dobbins, Roland (Jul 29)
- RE: DNS DoS ??? Drew Weaver (Jul 30)
- RE: DNS DoS ??? Jon Lewis (Jul 30)
- RE: DNS DoS ??? Alex Nderitu (Jul 30)
- Re: DNS DoS ??? John Adams (Jul 30)
- Re: DNS DoS ??? Mike Sabbota (Jul 30)
- RE: DNS DoS ??? Drew Weaver (Jul 30)
- Re: DNS DoS ??? Jimmy Hess (Jul 30)
- Re: DNS DoS ??? Dobbins, Roland (Jul 30)
- Re: DNS DoS ??? Jimmy Hess (Jul 30)
- Re: DNS DoS ??? Dobbins, Roland (Jul 30)
- Re: DNS DoS ??? Mark Andrews (Jul 31)
- Re: DNS DoS ??? Dobbins, Roland (Jul 31)
- Re: DNS DoS ??? Mark Andrews (Jul 31)
- Re: DNS DoS ??? Dobbins, Roland (Jul 31)