[161873] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Tony Finch)
Wed Mar 27 17:56:07 2013
Date: Wed, 27 Mar 2013 21:49:17 +0000
From: Tony Finch <dot@dotat.at>
To: Jack Bates <jbates@brightok.net>
In-Reply-To: <51530632.3020402@brightok.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Jack Bates <jbates@brightok.net> wrote:
> You'll also find that [DNS RRL] serves little purpose.
In my experience it works extremely well. Yes it is possible to work
around it, but you still need to stop the attacks that are happening now.
It is good to make the attacker's job harder.
> 1) tcp
RRL pushes legitimate clients to TCP if they get muddled up with attack
traffic.
> 2) require all requests to pad out to maximum response
I expect that is as easy to deploy as BCP38, IPv6, and DNSSEC.
> 3) BCP38 (in spirit)
That should be deployed as well as RRL.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
