nanog mailing list archives
RE: Open Resolver Problems
From: Jamie Bowden <jamie () photon com>
Date: Tue, 26 Mar 2013 11:50:52 +0000
From: Jared Mauch [mailto:jared () puck nether net] On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra () baylink com> wrote:----- Original Message -----From: "Jared Mauch" <jared () puck nether net>Open resolvers pose a security threat.Could you clarify, here, Jared? Do "open DNS customer-resolver/recursive servers" *per se* cause aproblem?Or is it merely "customer zone servers which are misconfigured to recurse", as has always been problematic? That is: is this just a reminder we never closed the old hole, or notification of some new and much nastier hole?There have been some moderate size attacks recently that I won't go into detail here about. The IPs that are on the website are certainly being used/abused. A recent attack saw a 90% match rate against the "master list" here. This means your open resolver is likely being used.
I'm just going to jump in here and ask what is probably a silly question, but let's suppose I just happen to have, or have access to, a botnet comprised of (tens of) millions of random hosts all over the internet, and I feel like destroying your DNS servers via DDoS; what's stopping me from just directly querying your servers continuously from said botnet until you melt? Those machines send you traffic indirectly through open resolvers, or hit you directly, but either way, it's the same number of machines issuing the same number of queries, and you're no less inundated. If your own servers rate limit to protect themselves, you're losing valid traffic, and if they don't, once you melt down, you're losing valid traffic... Jamie
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Harry Hoffman (Mar 25)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- RE: Open Resolver Problems Mike Simkins (Mar 25)
- Re: Open Resolver Problems Damian Menscher (Mar 25)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 25)
- Re: Open Resolver Problems Jay Ashworth (Mar 25)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- Re: Open Resolver Problems Alain Hebert (Mar 25)
- Re: Open Resolver Problems Mark Andrews (Mar 25)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- RE: Open Resolver Problems Jamie Bowden (Mar 26)
- Re: Open Resolver Problems Dobbins, Roland (Mar 26)
- Re: Open Resolver Problems Patrick W. Gilmore (Mar 26)
- Re: Open Resolver Problems Dobbins, Roland (Mar 26)
- Re: ORP bmanning (Mar 26)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- Re: Open Resolver Problems Harry Hoffman (Mar 25)
- Re: Open Resolver Problems Jay Ashworth (Mar 26)
- Re: Open Resolver Problems Patrick W. Gilmore (Mar 26)
- Re: Open Resolver Problems Nick Hilliard (Mar 26)
- Re: Open Resolver Problems Alain Hebert (Mar 26)
- Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Nick Hilliard (Mar 26)