On Dec 12, 2013, at 3:27 PM, Alain Hebert wrote:
>The internet will be better without ISP refusing to apply BCP38.
>
>
>
>This is a pointless argument since the majority of the industry
> prefer going after the UDP flood instead of
> curbing the problem at its source once and for
The internet will be better without ISP refusing to apply BCP38.
This is a pointless argument since the majority of the industry
prefer going after the UDP flood instead of
curbing the problem at its source once and for all.
-
Alain Hebertaheb...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Also:
http://openresolverproject.org/
Also, open resolvers are harmful to the Internet, so it would not surprise
me to see organizations to begin blocking any communication with them by
published lists open recursive resolvers.
- - ferg.
On 12/12
http://www.team-cymru.org/Services/Resolvers/
The Internet will be a better place with less open resolvers around.
--SiNA
On Dec 12, 2013 5:32 AM, "Tony Finch" wrote:
> Anurag Bhatia wrote:
> >
> > Now I see presence of some (legitimate) DNS forwarders and hence I don't
> > wish to limit queri
Anurag Bhatia wrote:
>
> Now I see presence of some (legitimate) DNS forwarders and hence I don't
> wish to limit queries.
You are going to have to change your mind about this one. Open recursive
resolvers are a really bad idea, unless you can afford a lot of time and
cleverness to manage the abu
https://kb.isc.org/article/AA-01000
On Wed, Dec 11, 2013 at 2:17 PM, Arturo Servin wrote:
> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
>
> AFAIK, bind has a way to do it.
>
> .as
>
>
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia
> wrote:
> >
dns-operations list is likely best suited for this question, but...
If using BIND 9.9.4 you can set the system to use TCP for repeated queries to
prevent spoofed ones from being replied to (ie: use yourself as an amplifier).
There's lists of domains published that are used in abuse, eg:
https:/
If you are using BIND, take a look at:
https://kb.isc.org/article/AA-01000
cv
On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia wrote:
> Hello everyone
>
>
> I noticed some issues on one of DNS server I am managing. It was getting
> queries for couple of attacking domains and server was replying
Hi Doug
I am using PowerDNS recursor.
On Thu, Dec 12, 2013 at 12:51 AM, Doug Barton wrote:
> You don't mention what software you're using. If you're using BIND, ask
> this question on bind-us...@isc.org. There is indeed a solution.
>
> Doug
>
>
>
> On 12/11/2013 10:06 AM, Anurag Bhatia wrote:
You don't mention what software you're using. If you're using BIND, ask
this question on bind-us...@isc.org. There is indeed a solution.
Doug
On 12/11/2013 10:06 AM, Anurag Bhatia wrote:
Hello everyone
I noticed some issues on one of DNS server I am managing.
I think is better idea to rate-limit your responses rather than
limiting the size of them.
AFAIK, bind has a way to do it.
.as
On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia wrote:
> Hi ML
>
>
>
> Yeah I can understand. Even DNSSEC will have issues with it which makes me
> worry about rule eve
Hi ML
Yeah I can understand. Even DNSSEC will have issues with it which makes me
worry about rule even today.
On Wed, Dec 11, 2013 at 11:49 PM, ML wrote:
> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
> >
> > I am sure I am not first person experiencing this issue. Curious to hear
> > how you
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>
I'm not
Hello everyone
I noticed some issues on one of DNS server I am managing. It was getting
queries for couple of attacking domains and server was replying in TCP with
3700 bytes releasing very heavy packets. Now I see presence of some
(legitimate) DNS forwarders and hence I don't wish to limit queri
14 matches
Mail list logo
