Domain Name System protection
Suresh Ramasubramanian
suresh at outblaze.com
Mon Aug 16 05:29:16 UTC 2004
Joe Shen wrote:
> We noticed there is continous name resolution requests
> from IP address outside of our address pool and also
> there is requests not conforming to DNS documents (
> like those from 10/8, 192.168/16 or something for
> microsoft proxy server name). We think these request
> waste our resource and we don't want these system
> stable, secure and high performance.
If the resolver caches are only supposed to be accessed from your IP
space, I am sure you can easily throw in a router ACL to accept
connections on port 53 only from these IPs.
Oh, and filter out bogons at your borders while you are at it (like for
example rfc1918 source addresses from outside your network)
srs
More information about the NANOG
mailing list