[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open Resolver Problems
- Subject: Open Resolver Problems
- From: marka at isc.org (Mark Andrews)
- Date: Wed, 27 Mar 2013 13:27:55 +1100
- In-reply-to: Your message of "Tue, 26 Mar 2013 19:07:16 PDT." <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ@mail.gmail.com>
- References: <[email protected]> <[email protected]> <CAEmG1=oXXwHObBcBaRTFTj9-uyq_dFfB4j63LAmKp8Y4hdT+Wg@mail.gmail.com> <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ@mail.gmail.com>
In message <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ at mail.gmail.com>
, Tom Paseka writes:
> On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach <mpetach at netflight.com>wrot=
> e:
>
> > On Tue, Mar 26, 2013 at 6:06 PM, John Levine <johnl at iecc.com> wrote:
> > >>As a white-hat attempting to find problems to address through legitimat=
> e
> > means, how
> > >>do you =85
> > >
> > > You make friends with people with busy authoritative servers and see
> > > who's querying them.
> >
> > I'm confused. Don't most authoritative servers have to
> > answer to just about anyone in order to be useful?
> >
> > Matt
> >
>
> Authoritative DNS servers need to implement rate limiting. (a client
> shouldn't query you twice for the same thing within its TTL).
You are assuming that there is a recursive server making the queries
and that there are not multiple recursive server behind a NAT.
Neither of these assumptions in true in practice and with the
deployment of CGNs these will become less true.
I have two recursive server at home behind a NAT today. Both do
DNSSEC.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org