On 2008-07-09, Steve Tornio <[EMAIL PROTECTED]> wrote: > I get a different result using the external interface of my caching > name server, and mine looks vulnerable.
named is. the stub resolver isn't. mcbride@ pointed out that you can give named some more protection by natting outbound udp traffic destined for port 53 (even just on the box running the resolver, it doesn't have to be on a firewall in front). something like, nat on egress proto udp from (self) to any port 53 -> (self) there - if you need to tell people you're doing something while you wait for a better solution, you have an option. check this with tcpdump and requests from multiple NS, the doxpara.com checker will not notice this as an improvement.
