Stephane Bortzmeyer <[email protected]> writes: > On Tue, Jun 12, 2012 at 08:15:00PM +0000, > Paul Vixie <[email protected]> wrote > a message of 21 lines which said: > >> [recursive servers are] a separate problem, and most of the time the >> fix is to add an ACL to deny off-net or off-campus query traffic. > > If you don't do ingress filtering, it still allows people to attack > your users (they can send from the outside a "ANY ripe.net" query > claiming to be from a local machine).
The same is true if you have open resolvers / forwarders in your networks (problem CPEs for example) and they accept spoofed queries from the outside. What is the proposed mitigation for the ISP caching resolver in these cases? Regards, Kostas _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
