[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On Tue, Mar 26, 2013 at 7:07 PM, Tom Paseka <tom at cloudflare.com> wrote:
> On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach <mpetach at netflight.com>
> wrote:
>> On Tue, Mar 26, 2013 at 6:06 PM, John Levine <johnl at iecc.com> wrote:
>> >>As a white-hat attempting to find problems to address through legitimate
>> >> means, how
>> >>do you ?
>> >
>> > You make friends with people with busy authoritative servers and see
>> > who's querying them.
>> I'm confused.  Don't most authoritative servers have to
>> answer to just about anyone in order to be useful?
>> Matt
> Authoritative DNS servers need to implement rate limiting. (a client
> shouldn't query you twice for the same thing within its TTL).

OK, but we started this discussion about open recursive resolvers,
right?  Securing your recursive resolvers is a very different problem
space from trying to come up with rate limits for your authoritative

In terms of impacts people are feeling today, is most of the pain
coming from open recursive servers being abused by miscreants,
or from miscreants doing spoofed queries against authoritative

The concern Valdis raised about securing recursives while still
being able to issue static nameserver IPs to mobile devices
is an orthogonal problem to Owen putting rate limiters on
the authoritative servers for he.net.  If we're all lighting up
pitchforks and raising torches, I'd kinda like to know at which
castle we're going to go throw pitchforks.