[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNS DoS ???
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
> Named already takes proper precautions by default. Recursive service is limited to directly connected networks by default. The default
> was first changed in 9.4 (2007) which is about to go end-of-life once the final wrap up release is done.
This alone isn't enough. There are quite a few other things folks must do from an architectural and operational standpoint which aren't found in named.conf.
> The real problem is that many ISP's don't do effective ingress/egress filtering.
Well, no. The real problem is a protocol set/implementation which lends itself so readily to spoofing in the first place, followed (as you say) by ISP/endpoint network inattention to anti-spoofing, followed by protocols which make use of the eminently-spoofable UDP for a critical service.
> This prevents compromised machines impersonating other machines.
Concur, but see above - spoofing is the symptom, not the disease.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
- References:
- DNS DoS ???
- From: efinley.lists at gmail.com (Elliot Finley)
- DNS DoS ???
- From: rdobbins at arbor.net (Dobbins, Roland)
- DNS DoS ???
- From: drew.weaver at thenap.com (Drew Weaver)
- DNS DoS ???
- From: mysidia at gmail.com (Jimmy Hess)
- DNS DoS ???
- From: rdobbins at arbor.net (Dobbins, Roland)
- DNS DoS ???
- From: mysidia at gmail.com (Jimmy Hess)
- DNS DoS ???
- From: rdobbins at arbor.net (Dobbins, Roland)
- DNS DoS ???
- From: marka at isc.org (Mark Andrews)