[161704] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (=?utf-8?B?TcOlbnM=?= Nilsson)
Mon Mar 25 16:51:16 2013
Date: Mon, 25 Mar 2013 21:51:06 +0100
From: =?utf-8?B?TcOlbnM=?= Nilsson <mansaxel@besserwisser.org>
To: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <BFA88EE5-D1BD-4624-96A3-7FEF762E242E@hopcount.ca>
Cc: nanog@nanog.org, ahebert@pubnix.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--liOOAslEiF7prFVr
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Re: Open Resolver Problems Date: Mon, Mar 25, 2013 at 12:45:40PM -=
0400 Quoting Joe Abley (jabley@hopcount.ca):
>=20
> DNS servers (recursive and authoritative-only) are the low-hanging fruit =
du jour. I agree that there are many other effective amplifiers, and that e=
ven maximum DNS hygiene will not make the wider problem go away.
>=20
> A quick note on your final comment, though: whilst adaptive response rate=
limiting (so-called RRL) is fast developing into an effective mitigation f=
or reflection attacks against authority-only servers, there is far less exp=
erience with traffic patterns or the effects of rate-limiting (using RRL or=
anything else) on recursive servers.
>=20
> The best advice for operation of recursive servers remains "restrict acce=
ss to legitimate clients", not "apply rate-limiting".
Twice agree. I try to have ::1 as resolver on my server machines that
are in a position to be used, and only accept queries on ::1. Takes care
of access control nicely.
For auth servers, those serving DNSSEC records are especially attractive
as amplifiers. At the moment, I'd have a hard time defending unrestricted
query rates on auth servers if they serve DNSSEC.
I've successfully applied the Redbarn patches to my BIND, and I expect
the NSD rate-control to be of similar quality, or better.
--=20
M=C3=A5ns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
BELA LUGOSI is my co-pilot ...
--liOOAslEiF7prFVr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlFQuLoACgkQ02/pMZDM1cWeAgCgkgv/kUR8nRDBT4hhDw9TXQPl
EBoAn3YBoTjvRCSjJYXOtNiWnmJqApTI
=RJDJ
-----END PGP SIGNATURE-----
--liOOAslEiF7prFVr--
