On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
Named already takes proper precautions by default. Recursive service is limited to directly connected networks by default. The default was first changed in 9.4 (2007) which is about to go end-of-life once the final wrap up release is done.
This alone isn't enough. There are quite a few other things folks must do from an architectural and operational standpoint which aren't found in named.conf.
The real problem is that many ISP's don't do effective ingress/egress filtering.
Well, no. The real problem is a protocol set/implementation which lends itself so readily to spoofing in the first place, followed (as you say) by ISP/endpoint network inattention to anti-spoofing, followed by protocols which make use of the eminently-spoofable UDP for a critical service.
This prevents compromised machines impersonating other machines.
Concur, but see above - spoofing is the symptom, not the disease. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde