[162054] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Apr 1 16:25:54 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20130401201931.GT55976@burnout.tpb.net>
Date: Mon, 1 Apr 2013 16:23:57 -0400
To: Niels Bakker <niels=nanog@bakker.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 1, 2013, at 4:19 PM, Niels Bakker <niels=3Dnanog@bakker.net> =
wrote:
>> On Apr 01, 2013, at 11:55 , "Milt Aitken" <milt@net2atlanta.com> =
wrote:
>>> Most of our DSL customers have modem/routers that resolve DNS =
externally.
>>> And most of those have no configuration option to stop it.
>>> So, we took the unfortunate step of ACL blocking DNS requests to & =
from the DSL network unless the requests are to our DNS servers.
>>>=20
>>> Suboptimal, but it stopped the DNS amplification attacks.
>=20
> Wow. Glad I'm not a customer of yours.
I would say this is the wrong solution. Prevent your customers from =
spoofing is the first step, then ask them to fix their broken CPE.
If NETGEAR is listening on the WAN side vs the LAN/INSIDE they need to =
step up and issue fixed firmware, even if the device is older. Should =
be a simple fix.
> * patrick@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:04 =
CEST]:
>> I was going to suggest exactly this.
>>=20
>> Don't most broadband networks have a line in their AUP about running =
servers?
>=20
> Huh? No. Thankfully. Not all of us are mindless consumers.
I think it's easier to just classify an open-resolver similar to an =
open-relay without having to invoke the consumer mindset.
- Jared=
