nanog mailing list archives

Re: Open Resolver Problems

From: Måns Nilsson <mansaxel () besserwisser org>
Date: Mon, 25 Mar 2013 21:51:06 +0100

Subject: Re: Open Resolver Problems Date: Mon, Mar 25, 2013 at 12:45:40PM -0400 Quoting Joe Abley (jabley () hopcount 
ca):


DNS servers (recursive and authoritative-only) are the low-hanging fruit du jour. I agree that there are many other 
effective amplifiers, and that even maximum DNS hygiene will not make the wider problem go away.

A quick note on your final comment, though: whilst adaptive response rate limiting (so-called RRL) is fast developing 
into an effective mitigation for reflection attacks against authority-only servers, there is far less experience with 
traffic patterns or the effects of rate-limiting (using RRL or anything else) on recursive servers.

The best advice for operation of recursive servers remains "restrict access to legitimate clients", not "apply 
rate-limiting".


Twice agree.  I try to have ::1 as resolver on my server machines that
are in a position to be used, and only accept queries on ::1. Takes care
of access control nicely.

For auth servers, those serving DNSSEC records are especially attractive
as amplifiers. At the moment, I'd have a hard time defending unrestricted
query rates on auth servers if they serve DNSSEC.

I've successfully applied the Redbarn patches to my BIND, and I expect
the NSD rate-control to be of similar quality, or better.

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
BELA LUGOSI is my co-pilot ...

Attachment: signature.asc
Description: Digital signature

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems joel jaeggli (Mar 26)
    - Re: Open Resolver Problems Jay Ashworth (Mar 26)
    - Re: Open Resolver Problems Saku Ytti (Mar 26)
    - Re: Open Resolver Problems Leo Bicknell (Mar 26)
    - Re: Open Resolver Problems Scott Noel-Hemming (Mar 29)
    - Re: Open Resolver Problems Mattias Ahnberg (Mar 25)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems Joe Abley (Mar 25)
    - Re: Open Resolver Problems Måns Nilsson (Mar 25)
    - Re: Open Resolver Problems Joe Abley (Mar 25)
    - Re: Open Resolver Problems Mikael Abrahamsson (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Jay Ashworth (Mar 26)
    - Re: Open Resolver Problems Mikael Abrahamsson (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)

(Thread continues...)