Home page logo
/

nanog logo nanog mailing list archives

Re: Open Resolver Problems
From: Mark Andrews <marka () isc org>
Date: Tue, 02 Apr 2013 11:53:03 +1100


In message <44ECD7B5-D9A4-408B-A132-29241DE3A867 () ianai net>, "Patrick W. Gilmore" writes:
On Apr 01, 2013, at 11:55 , "Milt Aitken" <milt () net2atlanta com> wrote:

Most of our DSL customers have modem/routers that resolve DNS
externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from
the DSL network unless the requests are to our DNS servers.

Suboptimal, but it stopped the DNS amplification attacks.

I was going to suggest exactly this.

Don't most broadband networks have a line in their AUP about running 
servers? Wouldn't a DNS server count as 'a server'? Then wouldn't running 
one violate the AUP?

This gives the provider a hammer to hit the user over the head. Although 
that is quite unlikely, so the better point is that it also gives the 
provider cover in case some user complains about the provider filtering.

You can always make an exception if the user is extremely loud.

-- 
TTFN,
patrick

Actually a lot don't have such a line.  Such lines are tantamount
to extortion especially if the ISP supplies commercial grade lines.

That said blocking by default with the option to open it up on
request, the same as smtp is opened on request, might be viable.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault