nanog mailing list archives
Re: Open Resolver Problems
From: Joe Abley <jabley () hopcount ca>
Date: Mon, 1 Apr 2013 14:33:57 -0400
On 2013-04-01, at 14:19, Jay Ashworth <jra () baylink com> wrote:
From: "Roland Dobbins" <rdobbins () arbor net>On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:Of course, since users shouldn't be using off-net name servers anyway, this isn't really a problem! :);> It's easy enough to construct ACLs to restrict the broadband consumer access networks from doing so. Additional egress filtering would catch any reflected attacks, per your previous comments.So, how would Patrick's caveat affect me, whose recursive resolver *is on my Linux laptop*? Would not that recursor be making queries he advocates blocking?
The badness that Patrick is talking about blocking are DNS responses being sent from consumer devices to the Internet, answering DNS queries being sent from the Internet towards consumer devices. (I think. This thread is sufficiently circular that I feel a bit dizzy, and could be mistaken.) The DNS traffic outbound from your laptop will be DNS queries (not responses) and the inbound traffic will be DNS responses (not queries). The traffic profiles are different. The case where infected consumer devices originate source-spoofed queries towards open resolvers, feeding a query stream to an amplifier for delivery to a victim, is mitigated by preventing those consumer devices from spoofing their source address, so BCP38. The case where infected consumer devices originate non-source-spoofed queries towards DNS servers in order to overwhelm the servers themselves with perfectly legitimate-looking queries is a harder problem to solve at the edge, and is most easily mitigated for DNS server operators by the approach "ensure great headroom". Joe
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Jay Ashworth (Apr 01)
- Re: Open Resolver Problems Mikael Abrahamsson (Apr 01)
- Re: Open Resolver Problems John Kristoff (Apr 02)
- Re: Open Resolver Problems Joe Abley (Apr 02)
- Re: Open Resolver Problems John Kristoff (Apr 02)
- Re: Open Resolver Problems Jerry Dent (Apr 03)
- Re: Open Resolver Problems Joe Abley (Apr 03)
- Re: Open Resolver Problems Jay Ashworth (Apr 03)
- Re: Open Resolver Problems Joe Abley (Apr 03)
- Re: Open Resolver Problems Jerry Dent (Apr 03)