-----Original Message----- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Friday, July 29, 2011 6:40 PM To: NANOG list Subject: Re: DNS DoS ???
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote: > my DNS servers were getting slow so I blocked recursive queries for all but > my own network. This should be the standard practice. By operating an open recursor, you lend your DNS server to abuse as a contributor to DNS reflection/amplification attacks. ----------------------------------------------------------------------- And at this point he may as well just ACL in-front of the recursors to prevent the traffic from hitting the servers thus reducing load needed to reject the queries on the servers themselves. -Drew
