[162030] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Apr 1 12:04:10 2013
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <A7B8F84D333A7948AB7F860A8A68E25D0137BFCE@terminator.net2atlanta.local>
Date: Mon, 1 Apr 2013 12:03:53 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 01, 2013, at 11:55 , "Milt Aitken" <milt@net2atlanta.com> wrote:
> Most of our DSL customers have modem/routers that resolve DNS
> externally.
> And most of those have no configuration option to stop it.
> So, we took the unfortunate step of ACL blocking DNS requests to & =
from
> the DSL network unless the requests are to our DNS servers.
>=20
> Suboptimal, but it stopped the DNS amplification attacks.
I was going to suggest exactly this.
Don't most broadband networks have a line in their AUP about running =
servers? Wouldn't a DNS server count as 'a server'? Then wouldn't =
running one violate the AUP?
This gives the provider a hammer to hit the user over the head. Although =
that is quite unlikely, so the better point is that it also gives the =
provider cover in case some user complains about the provider filtering.
You can always make an exception if the user is extremely loud.
--=20
TTFN,
patrick
> -----Original Message-----
> From: Mikael Abrahamsson [mailto:swmike@swm.pp.se]=20
> Sent: Monday, April 01, 2013 11:51 AM
> To: Chris Boyd
> Cc: nanog@nanog.org
> Subject: Re: Open Resolver Problems
>=20
> On Mon, 1 Apr 2013, Chris Boyd wrote:
>=20
>> Just back to the office, and started checking my networks. Found one
> of=20
>> the resolvers is a Netgear SOHO NAT box. EoL'd, no new firmware=20
>> available. Anyone have any feeling for what percentage are these
> types=20
>> of boxes?
>=20
> If you buy "type of box" mean "small SOHO NAT router which does DNS=20
> resolving on the WAN interface" then I'd say "a lot". Someone does a=20=
> rollout of new software and configuration and happens to mess up the=20=
> config file (or the vendor just happens to enable global dns resolving
> in=20
> the new software) and this slips through testing, then you're there. I=20=
> believe this happens all the time.
>=20
> That's why the publication of these lists are important, in a lot of
> cases=20
> there are a lot of people who are simply not aware of these devices
> doing=20
> this, and they need to be poked to notice.
>=20
> --=20
> Mikael Abrahamsson email: swmike@swm.pp.se
>=20
>=20
