mailing list archives
Re: Open Resolver Problems
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Mon, 1 Apr 2013 12:03:53 -0400
On Apr 01, 2013, at 11:55 , "Milt Aitken" <milt () net2atlanta com> wrote:
Most of our DSL customers have modem/routers that resolve DNS
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from
the DSL network unless the requests are to our DNS servers.
Suboptimal, but it stopped the DNS amplification attacks.
I was going to suggest exactly this.
Don't most broadband networks have a line in their AUP about running servers? Wouldn't a DNS server count as 'a
server'? Then wouldn't running one violate the AUP?
This gives the provider a hammer to hit the user over the head. Although that is quite unlikely, so the better point is
that it also gives the provider cover in case some user complains about the provider filtering.
You can always make an exception if the user is extremely loud.
From: Mikael Abrahamsson [mailto:swmike () swm pp se]
Sent: Monday, April 01, 2013 11:51 AM
To: Chris Boyd
Cc: nanog () nanog org
Subject: Re: Open Resolver Problems
On Mon, 1 Apr 2013, Chris Boyd wrote:
Just back to the office, and started checking my networks. Found one
the resolvers is a Netgear SOHO NAT box. EoL'd, no new firmware
available. Anyone have any feeling for what percentage are these
If you buy "type of box" mean "small SOHO NAT router which does DNS
resolving on the WAN interface" then I'd say "a lot". Someone does a
rollout of new software and configuration and happens to mess up the
config file (or the vendor just happens to enable global dns resolving
the new software) and this slips through testing, then you're there. I
believe this happens all the time.
That's why the publication of these lists are important, in a lot of
there are a lot of people who are simply not aware of these devices
this, and they need to be poked to notice.
Mikael Abrahamsson email: swmike () swm pp se