nanog mailing list archives

RE: DNS DoS ???

From: Drew Weaver <drew.weaver () thenap com>
Date: Sat, 30 Jul 2011 12:33:14 -0400



-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins () arbor net] 
Sent: Friday, July 29, 2011 6:40 PM
To: NANOG list
Subject: Re: DNS DoS ???

On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:

my DNS servers were getting slow so I blocked recursive queries for all but my own network.


This should be the standard practice.  By operating an open recursor, you lend your DNS server to abuse as a 
contributor to DNS reflection/amplification attacks.

-----------------------------------------------------------------------

And at this point he may as well just ACL in-front of the recursors to prevent the traffic from hitting the servers 
thus reducing load needed to reject the queries on the servers themselves.

-Drew

Current thread:

DNS DoS ??? Elliot Finley (Jul 29)
- Re: DNS DoS ??? Stefan Fouant (Jul 29)
- Re: DNS DoS ??? Thomas York (Jul 29)
- RE: DNS DoS ??? Drew Weaver (Jul 29)
  - RE: DNS DoS ??? Blake T. Pfankuch (Jul 29)
- Re: DNS DoS ??? Dobbins, Roland (Jul 29)
  - RE: DNS DoS ??? Drew Weaver (Jul 30)
    - RE: DNS DoS ??? Jon Lewis (Jul 30)
    - RE: DNS DoS ??? Alex Nderitu (Jul 30)
    - Re: DNS DoS ??? John Adams (Jul 30)
    - Re: DNS DoS ??? Mike Sabbota (Jul 30)
    - Re: DNS DoS ??? Jimmy Hess (Jul 30)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 30)
    - Re: DNS DoS ??? Jimmy Hess (Jul 30)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 30)
    - Re: DNS DoS ??? Mark Andrews (Jul 31)
    - Re: DNS DoS ??? Dobbins, Roland (Jul 31)

(Thread continues...)