[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: Open Resolver Problems
- Subject: FW: Open Resolver Problems
- From: milt at net2atlanta.com (Milt Aitken)
- Date: Mon, 1 Apr 2013 11:55:34 -0400
Most of our DSL customers have modem/routers that resolve DNS
externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from
the DSL network unless the requests are to our DNS servers.
Suboptimal, but it stopped the DNS amplification attacks.
-----Original Message-----
From: Mikael Abrahamsson [mailto:swmike at swm.pp.se]
Sent: Monday, April 01, 2013 11:51 AM
To: Chris Boyd
Cc: nanog at nanog.org
Subject: Re: Open Resolver Problems
On Mon, 1 Apr 2013, Chris Boyd wrote:
> Just back to the office, and started checking my networks. Found one
of
> the resolvers is a Netgear SOHO NAT box. EoL'd, no new firmware
> available. Anyone have any feeling for what percentage are these
types
> of boxes?
If you buy "type of box" mean "small SOHO NAT router which does DNS
resolving on the WAN interface" then I'd say "a lot". Someone does a
rollout of new software and configuration and happens to mess up the
config file (or the vendor just happens to enable global dns resolving
in
the new software) and this slips through testing, then you're there. I
believe this happens all the time.
That's why the publication of these lists are important, in a lot of
cases
there are a lot of people who are simply not aware of these devices
doing
this, and they need to be poked to notice.
--
Mikael Abrahamsson email: swmike at swm.pp.se