Subject: Re: Open Resolver Problems Date: Mon, Mar 25, 2013 at 12:45:40PM -0400 Quoting Joe Abley (jabley@hopcount.ca):
DNS servers (recursive and authoritative-only) are the low-hanging fruit du jour. I agree that there are many other effective amplifiers, and that even maximum DNS hygiene will not make the wider problem go away.
A quick note on your final comment, though: whilst adaptive response rate limiting (so-called RRL) is fast developing into an effective mitigation for reflection attacks against authority-only servers, there is far less experience with traffic patterns or the effects of rate-limiting (using RRL or anything else) on recursive servers.
The best advice for operation of recursive servers remains "restrict access to legitimate clients", not "apply rate-limiting".
Twice agree. I try to have ::1 as resolver on my server machines that are in a position to be used, and only accept queries on ::1. Takes care of access control nicely. For auth servers, those serving DNSSEC records are especially attractive as amplifiers. At the moment, I'd have a hard time defending unrestricted query rates on auth servers if they serve DNSSEC. I've successfully applied the Redbarn patches to my BIND, and I expect the NSD rate-control to be of similar quality, or better. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 BELA LUGOSI is my co-pilot ...