On 25/03/2013 16:35, Alain Hebert wrote: > That might be just me, but I find those peers allowing their > customers to spoof source IP addresses more at fault.
that is equally stupid and bad. > PS: Some form of adaptive rate limitation works for it btw =D no, it doesn't. In order to ensure that your resolver clients are serviced properly, you need to keep the DNS query rate high enough that if someone has a large bcp38-enabled botnet, they can trash the hell out of whoever they want. The best solution is to disable open recursion completely, and police your clients regularly. Nick
