[161852] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Mar 27 15:04:17 2013
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <62572589-280D-4155-B785-1D6960430FC1@puck.nether.net>
Date: Wed, 27 Mar 2013 15:03:17 -0400
To: Jared Mauch <jared@puck.nether.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2013-03-27, at 14:52, Jared Mauch <jared@puck.nether.net> wrote:
> I am very concerned about examples such as this possibly being =
implemented by a well intentioned sysadmin or neteng type without =
understanding their query load and patterns. bind with the rrl patch =
does log when things are happening. While the data is possible to =
extract from iptables, IMHO it's not quite as easy to audit as a syslog.
For an authoritative-only server, people can expect coarse rate-limits =
such as those quoted earlier with iptables to give false positives and =
to reject legitimate queries. RRL is far safer.
For a recursive server, I agree you need a much better understanding of =
your traffic patterns before you try something like the iptables =
example. Dropping queries from your own clients' stub resolvers has an =
immediate support cost. You *really* don't want false positives, there.
Joe=
