nanog mailing list archives
Re: DNS DoS ???
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Mon, 1 Aug 2011 00:49:22 +0000
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
Named already takes proper precautions by default. Recursive service is limited to directly connected networks by default. The default was first changed in 9.4 (2007) which is about to go end-of-life once the final wrap up release is done.
This alone isn't enough. There are quite a few other things folks must do from an architectural and operational standpoint which aren't found in named.conf.
The real problem is that many ISP's don't do effective ingress/egress filtering.
Well, no. The real problem is a protocol set/implementation which lends itself so readily to spoofing in the first place, followed (as you say) by ISP/endpoint network inattention to anti-spoofing, followed by protocols which make use of the eminently-spoofable UDP for a critical service.
This prevents compromised machines impersonating other machines.
Concur, but see above - spoofing is the symptom, not the disease. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
Current thread:
- RE: DNS DoS ???, (continued)
- RE: DNS DoS ??? Drew Weaver (Jul 30)
- RE: DNS DoS ??? Jon Lewis (Jul 30)
- RE: DNS DoS ??? Alex Nderitu (Jul 30)
- Re: DNS DoS ??? John Adams (Jul 30)
- Re: DNS DoS ??? Mike Sabbota (Jul 30)
- RE: DNS DoS ??? Drew Weaver (Jul 30)
- Re: DNS DoS ??? Jimmy Hess (Jul 30)
- Re: DNS DoS ??? Dobbins, Roland (Jul 30)
- Re: DNS DoS ??? Jimmy Hess (Jul 30)
- Re: DNS DoS ??? Dobbins, Roland (Jul 30)
- Re: DNS DoS ??? Mark Andrews (Jul 31)
- Re: DNS DoS ??? Dobbins, Roland (Jul 31)
- Re: DNS DoS ??? Mark Andrews (Jul 31)
- Re: DNS DoS ??? Dobbins, Roland (Jul 31)