DNS cache poisoning attacks -- are they real?

Christopher L. Morrow christopher.morrow at mci.com
Sun Mar 27 18:25:48 UTC 2005

On Sun, 27 Mar 2005, Randy Bush wrote:

> i have yet to see cogent arguments, other than scaling issues,
> against running open recursive servers.

The common example to NOT run them is the DNS Smurf attack, forge dns
requests from your victim for some 'large' response: MX for mci.com works
probably for this and make that happen from a few hundred of your
friends/bots.  It seems that MX lookup will return 497 bytes, a query that
returns "see root please" is only 236 today.

Larger providers have the problem that you can't easily filter
'customers' from 'non-customers' in a sane and scalable fashion. While
they have to run the open resolvers for custoemr service reasons they
can't adequately protect them from abusers or attackers in all cases.


More information about the NANOG mailing list