[143137] in North American Network Operators' Group
RE: DNS DoS ???
daemon@ATHENA.MIT.EDU (Drew Weaver)
Sat Jul 30 12:34:27 2011
From: Drew Weaver <drew.weaver@thenap.com>
To: "'Dobbins, Roland'" <rdobbins@arbor.net>, NANOG list <nanog@nanog.org>
Date: Sat, 30 Jul 2011 12:33:14 -0400
In-Reply-To: <B618B6AC-BEE8-40B0-9808-062990114681@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins@arbor.net]=20
Sent: Friday, July 29, 2011 6:40 PM
To: NANOG list
Subject: Re: DNS DoS ???
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:
> my DNS servers were getting slow so I blocked recursive queries for all b=
ut my own network.
This should be the standard practice. By operating an open recursor, you l=
end your DNS server to abuse as a contributor to DNS reflection/amplificati=
on attacks.
-----------------------------------------------------------------------
And at this point he may as well just ACL in-front of the recursors to prev=
ent the traffic from hitting the servers thus reducing load needed to rejec=
t the queries on the servers themselves.
-Drew
