Open Resolver Problems

[nick at foobar.org (Nick Hilliard)]

On 25/03/2013 16:35, Alain Hebert wrote:
>     That might be just me, but I find those peers allowing their
> customers to spoof source IP addresses more at fault.

that is equally stupid and bad.

>     PS: Some form of adaptive rate limitation works for it btw =D

no, it doesn't.  In order to ensure that your resolver clients are serviced
properly, you need to keep the DNS query rate high enough that if someone
has a large bcp38-enabled botnet, they can trash the hell out of whoever
they want.

The best solution is to disable open recursion completely, and police your
clients regularly.

Nick