nanog mailing list archives

Re: Open Resolver Problems

From: Jared Mauch <jared () puck nether net>
Date: Mon, 1 Apr 2013 16:23:57 -0400


On Apr 1, 2013, at 4:19 PM, Niels Bakker <niels=nanog () bakker net> wrote:

On Apr 01, 2013, at 11:55 , "Milt Aitken" <milt () net2atlanta com> wrote:

Most of our DSL customers have modem/routers that resolve DNS externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from the DSL network unless the requests are to 
our DNS servers.

Suboptimal, but it stopped the DNS amplification attacks.


Wow.  Glad I'm not a customer of yours.


I would say this is the wrong solution.  Prevent your customers from spoofing is the first step, then ask them to fix 
their broken CPE.

If NETGEAR is listening on the WAN side vs the LAN/INSIDE they need to step up and issue fixed firmware, even if the 
device is older.  Should be a simple fix.

* patrick () ianai net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:04 CEST]:

I was going to suggest exactly this.

Don't most broadband networks have a line in their AUP about running servers?


Huh?  No.  Thankfully.  Not all of us are mindless consumers.


I think it's easier to just classify an open-resolver similar to an open-relay without having to invoke the consumer 
mindset.

- Jared

Current thread:

Re: Open Resolver Problems, (continued)
- - Re: Open Resolver Problems Patrick W. Gilmore (Apr 01)
    - Re: Open Resolver Problems Dobbins, Roland (Apr 01)
    - Re: Open Resolver Problems Patrick W. Gilmore (Apr 01)
    - Re: Open Resolver Problems Dobbins, Roland (Apr 01)
    - Re: Open Resolver Problems Niels Bakker (Apr 01)
    - RE: Open Resolver Problems Keith Medcalf (Apr 01)
    - Re: Open Resolver Problems Måns Nilsson (Apr 01)
    - Re: Open Resolver Problems Mikael Abrahamsson (Apr 01)
    - Re: Open Resolver Problems Måns Nilsson (Apr 02)
    - Re: Open Resolver Problems Niels Bakker (Apr 01)
    - Re: Open Resolver Problems Jared Mauch (Apr 01)
    - Re: Open Resolver Problems Niels Bakker (Apr 01)
    - Re: Open Resolver Problems Mark Andrews (Apr 01)
    - Re: Open Resolver Problems Dobbins, Roland (Apr 01)
    - Re: Open Resolver Problems Mark Andrews (Apr 01)
    - Re: Open Resolver Problems Dobbins, Roland (Apr 01)
    - Re: Open Resolver Problems Owen DeLong (Apr 01)
    - Re: Open Resolver Problems Paul Ferguson (Apr 01)
    - Re: Open Resolver Problems Dobbins, Roland (Apr 01)
    - Re: Open Resolver Problems Owen DeLong (Apr 01)
    - Re: Open Resolver Problems Dobbins, Roland (Apr 01)

(Thread continues...)