[73170] in North American Network Operators' Group
Re: Domain Name System protection
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Mon Aug 16 01:29:22 2004
Date: Mon, 16 Aug 2004 10:59:16 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: Joe Shen <joe_hznm@yahoo.com.sg>
Cc: nanog@merit.edu
In-Reply-To: <20040816045729.65913.qmail@web90007.mail.scd.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu
Joe Shen wrote:
> We noticed there is continous name resolution requests
> from IP address outside of our address pool and also
> there is requests not conforming to DNS documents (
> like those from 10/8, 192.168/16 or something for
> microsoft proxy server name). We think these request
> waste our resource and we don't want these system
> stable, secure and high performance.
If the resolver caches are only supposed to be accessed from your IP
space, I am sure you can easily throw in a router ACL to accept
connections on port 53 only from these IPs.
Oh, and filter out bogons at your borders while you are at it (like for
example rfc1918 source addresses from outside your network)
srs
