[88940] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Chris Adams)
Fri Feb 24 19:58:40 2006
Date: Fri, 24 Feb 2006 18:58:12 -0600
From: Chris Adams <cmadams@hiwaay.net>
To: NANOG <nanog@merit.edu>
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>,
NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.62.0602241629470.21514@qentba.nf23028.arg>
Errors-To: owner-nanog@merit.edu
Once upon a time, Rob Thomas <robt@cymru.com> said:
> Limit recursion to trusted netblocks and customers. Do not permit
> your name servers to provide recursion for the world. If you do,
> you will contribute to one of these attacks.
One thing to note: we've discovered that on some common DSL routers, the
internal DNS caching server is on by default and answers requests on the
outside IP address. IIRC some even do it when configured for NAT.
So, even when you disable outside recursion, things you may not think of
on the inside of your network may still allow outside DNS recursion.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
