Date: Thu, 08 Jun 2006 14:22:44 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Chuck Swiger <cswiger@mac.com> Cc: current@freebsd.org Subject: Re: named recursive queries Message-ID: <44889524.3030600@FreeBSD.org> In-Reply-To: <448799B6.8080709@mac.com> References: <20060608015022.Y52876@mp2.macomnet.net> <448799B6.8080709@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote:
> It seems clear that people who want to run a recursive nameserver will
> be able to change this if your proposed change is made. However, which
> problem that you are trying to solve with it?
Well, having a wide open anything on the network is pretty much a bad idea
nowadays. While the current press surrounding the open resolver DDoS problem
is drawing attention to this particular part of the issue, it's bad for us
to start what is supposed to be a local resolver in wide open mode in any
case. (Which, as I pointed out already, is not what we are doing.)
> Yes, people can send queries with a spoofed sender to perform a DoS, and
> yes, permitting recursive queries lets the attacker choose a large
> response from any zone rather than having to tailor the attack to each
> nameserver.
Yes, that is one variant of the attack that we're trying to mitigate.
> The right solution to that problem is egress filtering of spoofed
> traffic at the ISP-level.
Yes, but long years of history (not to mention the obvious economic
incentive) have shown that this will not happen. Therefore we need to attack
this problem directly, using available mechanisms.
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44889524.3030600>