nanog mailing list archives

Re: Open Resolver Problems

From: Joe Abley <jabley () hopcount ca>
Date: Wed, 27 Mar 2013 15:03:17 -0400


On 2013-03-27, at 14:52, Jared Mauch <jared () puck nether net> wrote:

I am very concerned about examples such as this possibly being implemented by a well intentioned sysadmin or neteng 
type without understanding their query load and patterns.  bind with the rrl patch does log when things are 
happening.  While the data is possible to extract from iptables, IMHO it's not quite as easy to audit as a syslog.


For an authoritative-only server, people can expect coarse rate-limits such as those quoted earlier with iptables to 
give false positives and to reject legitimate queries. RRL is far safer.

For a recursive server, I agree you need a much better understanding of your traffic patterns before you try something 
like the iptables example. Dropping queries from your own clients' stub resolvers has an immediate support cost. You 
*really* don't want false positives, there.


Joe

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Mark Andrews (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Owen DeLong (Mar 27)
    - Re: Open Resolver Problems Marco Davids (Mar 27)
    - Re: Open Resolver Problems Jared Mauch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
    - Re: Open Resolver Problems Ben Aitchison (Mar 28)
    - Re: Open Resolver Problems Jimmy Hess (Mar 29)
    - Re: Open Resolver Problems Mark Andrews (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Dobbins, Roland (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Doug Barton (Mar 29)

(Thread continues...)