[162029] in North American Network Operators' Group
FW: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Milt Aitken)
Mon Apr 1 11:55:48 2013
Date: Mon, 1 Apr 2013 11:55:34 -0400
From: "Milt Aitken" <milt@net2atlanta.com>
To: <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Most of our DSL customers have modem/routers that resolve DNS
externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from
the DSL network unless the requests are to our DNS servers.
Suboptimal, but it stopped the DNS amplification attacks.
-----Original Message-----
From: Mikael Abrahamsson [mailto:swmike@swm.pp.se]=20
Sent: Monday, April 01, 2013 11:51 AM
To: Chris Boyd
Cc: nanog@nanog.org
Subject: Re: Open Resolver Problems
On Mon, 1 Apr 2013, Chris Boyd wrote:
> Just back to the office, and started checking my networks. Found one
of=20
> the resolvers is a Netgear SOHO NAT box. EoL'd, no new firmware=20
> available. Anyone have any feeling for what percentage are these
types=20
> of boxes?
If you buy "type of box" mean "small SOHO NAT router which does DNS=20
resolving on the WAN interface" then I'd say "a lot". Someone does a=20
rollout of new software and configuration and happens to mess up the=20
config file (or the vendor just happens to enable global dns resolving
in=20
the new software) and this slips through testing, then you're there. I=20
believe this happens all the time.
That's why the publication of these lists are important, in a lot of
cases=20
there are a lot of people who are simply not aware of these devices
doing=20
this, and they need to be poked to notice.
--=20
Mikael Abrahamsson email: swmike@swm.pp.se
