[nsd-users] Unsecured zone transfers and open resolvers
Olaf Kolkman
olaf at NLnetLabs.nl
Fri Jul 20 12:14:34 UTC 2012
[This is off-topic for the NSD-users list and should move to the unbound-users list :-) ]
>>
>> The type of monitoring that should always be taken place on open recursive nameservers is monitoring for being used as DOS amplification vector.
>
> What do you mean by this? What kind of parameters should be monitored? Queries per second from a given IP address is my first guess.
>
Yes, that is a good first order approximation. A significant amount of queries that are likely to amplify are good hints too (apex ANY +dnssec), but those are of the necessary but not sufficient category. And I actually do not have a comprehensive description of what needs happening.
Besides saying "Just don't run an open resolver" http://tools.ietf.org/html/draft-ietf-dnsop-reflectors-are-evil-06 doesn't say much about the topic.
Any other reader have hints?
NLnet
Labs
Olaf M. Kolkman
www.NLnetLabs.nl
olaf at NLnetLabs.nl
Science Park 400, 1098 XH Amsterdam, The Netherlands
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120720/b1f09f11/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120720/b1f09f11/attachment.bin>
More information about the nsd-users
mailing list