On Sun, Mar 31, 2013 at 02:30:50AM -0700, Xun Fan <[email protected]> wrote a message of 90 lines which said:
> Instead of closing the open resolvers, can we just force queries > from external networks to use TCP? A very good idea, IMHO. > Say reply to queires from external networks with a short truncate > UDP to signal querier to turn to TCP? Even better, allow only TCP from the beginning. This would completely suppress the amplification (that you still have with the truncated response). As far as I know, no existing resolving software implements that so the only way to deploy this approach would be with instructing the firewall to block incoming UDP/53. > Rate limiting is coming but many people think it's better for > authoritative name servers. Also, almost all the ORN are unmanaged machines, which will not deploy new mitigations, whether TCP or rate-limiting. > And as a internet measurement researcher, I also find the value of > open resolvers in some research projects that OR greatly extend our > view to the Internet. Another solution for this use is the DNS looking glass <http://www.bortzmeyer.org/dns-lg.html>. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
