Re: named recursive queries

From: Doug Barton <dougb_at_FreeBSD.org>
Date: Thu, 08 Jun 2006 14:22:44 -0700
Chuck Swiger wrote:

> It seems clear that people who want to run a recursive nameserver will
> be able to change this if your proposed change is made.  However, which
> problem that you are trying to solve with it?

Well, having a wide open anything on the network is pretty much a bad idea
nowadays. While the current press surrounding the open resolver DDoS problem
is drawing attention to this particular part of the issue, it's bad for us
to start what is supposed to be a local resolver in wide open mode in any
case. (Which, as I pointed out already, is not what we are doing.)

> Yes, people can send queries with a spoofed sender to perform a DoS, and
> yes, permitting recursive queries lets the attacker choose a large
> response from any zone rather than having to tailor the attack to each
> nameserver.

Yes, that is one variant of the attack that we're trying to mitigate.

> The right solution to that problem is egress filtering of spoofed
> traffic at the ISP-level.

Yes, but long years of history (not to mention the obvious economic
incentive) have shown that this will not happen. Therefore we need to attack
this problem directly, using available mechanisms.

Doug

-- 

    This .signature sanitized for your protection
Received on Thu Jun 08 2006 - 20:22:50 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC