mailing list archives
Re: Open Resolver Problems
From: Joe Abley <jabley () hopcount ca>
Date: Mon, 1 Apr 2013 14:33:57 -0400
On 2013-04-01, at 14:19, Jay Ashworth <jra () baylink com> wrote:
From: "Roland Dobbins" <rdobbins () arbor net>
On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
Of course, since users shouldn't be using off-net name servers
anyway, this isn't really a problem! :)
It's easy enough to construct ACLs to restrict the broadband consumer
access networks from doing so. Additional egress filtering would catch
any reflected attacks, per your previous comments.
So, how would Patrick's caveat affect me, whose recursive resolver *is
on my Linux laptop*? Would not that recursor be making queries he
The badness that Patrick is talking about blocking are DNS responses being sent from consumer devices to the Internet,
answering DNS queries being sent from the Internet towards consumer devices. (I think. This thread is sufficiently
circular that I feel a bit dizzy, and could be mistaken.) The DNS traffic outbound from your laptop will be DNS queries
(not responses) and the inbound traffic will be DNS responses (not queries). The traffic profiles are different.
The case where infected consumer devices originate source-spoofed queries towards open resolvers, feeding a query
stream to an amplifier for delivery to a victim, is mitigated by preventing those consumer devices from spoofing their
source address, so BCP38.
The case where infected consumer devices originate non-source-spoofed queries towards DNS servers in order to overwhelm
the servers themselves with perfectly legitimate-looking queries is a harder problem to solve at the edge, and is most
easily mitigated for DNS server operators by the approach "ensure great headroom".
Re: Open Resolver Problems Joe Abley (Apr 01)
- Re: Open Resolver Problems, (continued)