[143143] in North American Network Operators' Group
Re: DNS DoS ???
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Sat Jul 30 16:09:33 2011
In-Reply-To: <F3318834F1F89D46857972DD4B411D700520368F4C@exchange>
Date: Sat, 30 Jul 2011 15:08:59 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Drew Weaver <drew.weaver@thenap.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Jul 30, 2011 at 11:33 AM, Drew Weaver <drew.weaver@thenap.com>wrote:
> And at this point he may as well just ACL in-front of the recursors to
> prevent the traffic from hitting the servers thus reducing load needed to
> reject the queries on the servers themselves.
>
>
A problem for providers of DNS recursive servers as a hosted service, is
the client sender IP address may be dynamic and off-net.
And the DNS protocol does not provide a method of authentication, or
passing credentials from the client
to the server to authorize the use of recursive DNS.
This differs from SMTP. There really is no such thing as a "closed
recursive resolver", except where
unwanted queries are blocked by IP.
All we really have is TSIG for such scenarios, and most client resolvers do
not support loading the resolver
with a secret key, in order to authorize recursive access.
So it follows, that in a number cases, "closing recursive access" is not
a good option.
A good example, would be services such as OpenDNS.
Regards,
--
-JH
