Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <44ECD7B5-D9A4-408B-A132-29241DE3A867 at ianai.net>, "Patrick W. Gilmore" writes:
> On Apr 01, 2013, at 11:55 , "Milt Aitken" <milt at net2atlanta.com> wrote:
> 
> > Most of our DSL customers have modem/routers that resolve DNS
> > externally.
> > And most of those have no configuration option to stop it.
> > So, we took the unfortunate step of ACL blocking DNS requests to & from
> > the DSL network unless the requests are to our DNS servers.
> > 
> > Suboptimal, but it stopped the DNS amplification attacks.
> 
> I was going to suggest exactly this.
> 
> Don't most broadband networks have a line in their AUP about running 
> servers? Wouldn't a DNS server count as 'a server'? Then wouldn't running 
> one violate the AUP?
> 
> This gives the provider a hammer to hit the user over the head. Although 
> that is quite unlikely, so the better point is that it also gives the 
> provider cover in case some user complains about the provider filtering.
> 
> You can always make an exception if the user is extremely loud.
> 
> -- 
> TTFN,
> patrick

Actually a lot don't have such a line.  Such lines are tantamount
to extortion especially if the ISP supplies commercial grade lines.

That said blocking by default with the option to open it up on
request, the same as smtp is opened on request, might be viable.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]