DNS Amplification Attacks

Peter Dambier peter at peter-dambier.de
Mon Mar 20 22:29:26 UTC 2006

Joseph S D Yao wrote:
> On Mon, Mar 20, 2006 at 11:30:46PM +0200, Gadi Evron wrote:
> ...
>>Where did that come from? I respect you but please, let's have a 
>>technical discussion. This is important enough for us all to avoid the 
>>flame-wars for now. Don't move this thread to politics or lunacies.
> ...
> Then leave governments out of it, and re-phrase the question in this
> way.  If one can not run one's own DNS server on the public Internet,
> but must rely on a DNS service supplier for your DNS, and at some point
> you start to wonder about the technical competence or correct configura-
> tion of the DNS service supplier whose DNS you are configured to use,
> and all other DNS servers out there are configured to refuse recursive
> service except perhaps to their own population, than against what can
> you compare the DNS service that you are getting, to see whether it is
> giving you what "the world" should be seeing?

That is exactly what worries me.

In germany censoring is commonplace. You have to use foraign resolvers
to escape it. There is a lot collateral dammage too - governement has
provided the tools. Corrupt people use it to play tricks on their

How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S."
and "XN--IO0A7I." already. You must use alternative roots to exchange emails
with people living in those domains.

Banning open resolvers means censoring for a lot of people, at least
if they cannot run their own servers.

Peter and Karin Dambier

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the NANOG mailing list