Tightened DNS security question re: DNS amplification attacks.
nanog at konadogs.net
Tue Jan 27 18:59:40 CST 2009
On Wed, Jan 28, 2009 at 10:36:29AM +1100, Mark Andrews wrote:
> < ... snip ... >
> > deny udp host 220.127.116.11 neq 53 any eq 53
> Which pre-supposes that 18.104.22.168 os not emitting queries of
> its own.
> BCP 140 looked at this problem and concluded that sending
> REFUSED was the best general guidance that can be given.
> While BCP 140 applies to recursive servers, returning REFUSED
> to queries which are not within the namespace served by
> authoritative servers is entirely consistant with BCP 140.
Agree. Thank you for catching that. I should have elaborated that one
must be very judicious about adding ACLs for the reasons you mentioned.
One of the DOS victims had explicitly said not to expect queries from two
of the recent targets, but yeah, not necessarily a good plan in the general
More information about the NANOG