DNS DoS ???

Jimmy Hess mysidia at gmail.com
Sat Jul 30 20:08:59 UTC 2011


On Sat, Jul 30, 2011 at 11:33 AM, Drew Weaver <drew.weaver at thenap.com>wrote:


> And at this point he may as well just ACL in-front of the recursors to
> prevent the traffic from hitting the servers thus reducing load needed to
> reject the queries on the servers themselves.
>
>
A problem for providers of DNS recursive servers as a hosted service,  is
the client sender IP address may be dynamic and off-net.
And the DNS protocol does not provide a method of authentication,  or
passing credentials from the client
to the server to authorize the use of recursive DNS.

This differs from SMTP.     There really is no such thing as a "closed
recursive resolver",   except where
unwanted queries are blocked by IP.

All we really have is TSIG for such scenarios,  and most client resolvers do
not support loading the resolver
with a secret key,  in order to authorize recursive access.


So it follows, that in a number cases,   "closing recursive access"  is not
a good option.


A good example, would be   services  such as    OpenDNS.


Regards,
--
-JH



More information about the NANOG mailing list