nanog mailing list archives

Re: DNS DoS ???

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Mon, 1 Aug 2011 00:49:22 +0000

On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:

Named already takes proper precautions by default.  Recursive service is limited to directly connected networks by 
default.  The default
was first changed in 9.4 (2007) which is about to go end-of-life once the final wrap up release is done.


This alone isn't enough.  There are quite a few other things folks must do from an architectural and operational 
standpoint which aren't found in named.conf.

The real problem is that many ISP's don't do effective ingress/egress filtering.


Well, no.  The real problem is a protocol set/implementation which lends itself so readily to spoofing in the first 
place, followed (as you say) by ISP/endpoint network inattention to anti-spoofing, followed by protocols which make use 
of the eminently-spoofable UDP for a critical service.

 This prevents compromised machines impersonating other machines.


Concur, but see above - spoofing is the symptom, not the disease.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

Current thread:

RE: DNS DoS ???, (continued)
- - RE: DNS DoS ??? Drew Weaver (Jul 30)
    - RE: DNS DoS ??? Jon Lewis (Jul 30)
    - RE: DNS DoS ??? Alex Nderitu (Jul 30)
    - Re: DNS DoS ??? John Adams (Jul 30)
    - Re: DNS DoS ??? Mike Sabbota (Jul 30)
    - Re: DNS DoS ??? Jimmy Hess (Jul 30)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 30)
    - Re: DNS DoS ??? Jimmy Hess (Jul 30)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 30)
    - Re: DNS DoS ??? Mark Andrews (Jul 31)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 31)
    - Re: DNS DoS ??? Mark Andrews (Jul 31)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 31)
  - RE: DNS DoS ??? Frank Bulk (Jul 30)