Great Suggestion for the DNS problem...?

Florian Weimer fw at deneb.enyo.de
Tue Jul 29 02:54:25 CDT 2008


* Paul Vixie:

>>> Listen on 200 random fake ports (in addition to the true query ports);

> at first glance, this is brilliant, though with some unimportant nits.

It doesn't work OOTB for most users because the spoofed packets never
reach the name server process if you don't use the ports to send packets
to the authoritative server which is spoofed--the wonders of stateful
firewalling.




More information about the NANOG mailing list