On Sun, 27 Mar 2005, Randy Bush wrote:
i have yet to see cogent arguments, other than scaling issues, against running open recursive servers.
The common example to NOT run them is the DNS Smurf attack, forge dns requests from your victim for some 'large' response: MX for mci.com works probably for this and make that happen from a few hundred of your friends/bots. It seems that MX lookup will return 497 bytes, a query that returns "see root please" is only 236 today. Larger providers have the problem that you can't easily filter 'customers' from 'non-customers' in a sane and scalable fashion. While they have to run the open resolvers for custoemr service reasons they can't adequately protect them from abusers or attackers in all cases. -Chris