nanog mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: Nate Itkin <nanog () konadogs net>
Date: Tue, 27 Jan 2009 14:59:40 -1000
On Wed, Jan 28, 2009 at 10:36:29AM +1100, Mark Andrews wrote:
< ... snip ... >deny udp host 64.57.246.146 neq 53 any eq 53Which pre-supposes that 64.57.246.146 os not emitting queries of its own. BCP 140 looked at this problem and concluded that sending REFUSED was the best general guidance that can be given. While BCP 140 applies to recursive servers, returning REFUSED to queries which are not within the namespace served by authoritative servers is entirely consistant with BCP 140.
Agree. Thank you for catching that. I should have elaborated that one must be very judicious about adding ACLs for the reasons you mentioned. One of the DOS victims had explicitly said not to expect queries from two of the recent targets, but yeah, not necessarily a good plan in the general case. Best wishes, Nate Itkin
Current thread:
- out-of-band access bandwidth wingying (Jan 27)
- Re: out-of-band access bandwidth Brian Wallingford (Jan 27)
- RE: out-of-band access bandwidth Michael K. Smith - Adhost (Jan 27)
- Re: out-of-band access bandwidth Steve Meuse (Jan 27)
- Tightened DNS security question re: DNS amplification attacks. Matthew Huff (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Nate Itkin (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Nate Itkin (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. John Martinez (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Steve Pirk (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: out-of-band access bandwidth Steve Meuse (Jan 27)
- RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED] David Zielezna (Jan 27)
- Message not available
- RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED] David Zielezna (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. fredrik danerklint (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Charles Morris (Jan 28)