[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS DoS ???

On Sat, Jul 30, 2011 at 11:33 AM, Drew Weaver <drew.weaver at thenap.com>wrote:

> And at this point he may as well just ACL in-front of the recursors to
> prevent the traffic from hitting the servers thus reducing load needed to
> reject the queries on the servers themselves.
A problem for providers of DNS recursive servers as a hosted service,  is
the client sender IP address may be dynamic and off-net.
And the DNS protocol does not provide a method of authentication,  or
passing credentials from the client
to the server to authorize the use of recursive DNS.

This differs from SMTP.     There really is no such thing as a "closed
recursive resolver",   except where
unwanted queries are blocked by IP.

All we really have is TSIG for such scenarios,  and most client resolvers do
not support loading the resolver
with a secret key,  in order to authorize recursive access.

So it follows, that in a number cases,   "closing recursive access"  is not
a good option.

A good example, would be   services  such as    OpenDNS.