Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25/03/2013 16:35, Alain Hebert wrote:
>     That might be just me, but I find those peers allowing their
> customers to spoof source IP addresses more at fault.

that is equally stupid and bad.

>     PS: Some form of adaptive rate limitation works for it btw =D

no, it doesn't.  In order to ensure that your resolver clients are serviced
properly, you need to keep the DNS query rate high enough that if someone
has a large bcp38-enabled botnet, they can trash the hell out of whoever
they want.

The best solution is to disable open recursion completely, and police your
clients regularly.

Nick

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]