[106458] in North American Network Operators' Group
Re: Great Suggestion for the DNS problem...?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Jul 29 03:55:54 2008
From: Florian Weimer <fw@deneb.enyo.de>
To: Paul Vixie <vixie@isc.org>
Date: Tue, 29 Jul 2008 09:54:25 +0200
In-Reply-To: <g3hca9scro.fsf@nsa.vix.com> (Paul Vixie's message of "Tue, 29
Jul 2008 01:24:43 +0000")
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
* Paul Vixie:
>>> Listen on 200 random fake ports (in addition to the true query ports);
> at first glance, this is brilliant, though with some unimportant nits.
It doesn't work OOTB for most users because the spoofed packets never
reach the name server process if you don't use the ports to send packets
to the authoritative server which is spoofed--the wonders of stateful
firewalling.
