[161695] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Mon Mar 25 12:57:05 2013
X-Envelope-To: nanog@nanog.org
Date: Mon, 25 Mar 2013 16:51:44 +0000
From: Nick Hilliard <nick@foobar.org>
To: ahebert@pubnix.net
In-Reply-To: <51507CCA.60901@pubnix.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 25/03/2013 16:35, Alain Hebert wrote:
> That might be just me, but I find those peers allowing their
> customers to spoof source IP addresses more at fault.
that is equally stupid and bad.
> PS: Some form of adaptive rate limitation works for it btw =D
no, it doesn't. In order to ensure that your resolver clients are serviced
properly, you need to keep the DNS query rate high enough that if someone
has a large bcp38-enabled botnet, they can trash the hell out of whoever
they want.
The best solution is to disable open recursion completely, and police your
clients regularly.
Nick
