> -----Original Message-----
> From: Geo. [mailto:[EMAIL PROTECTED] 
> Sent: April 2, 2006 10:31
> To: bugtraq@securityfocus.com
> Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
> 
> > 1. Resolvers and Authoritative nameservers must be separate and
> > authoritative nameservers must have recursion turned off. Otherwise
> > there is no way to throttle only recursive queries.
> 
> Great, for small ISP's you just doubled the number of 
> machines they need to
> dedicate to DNS.

They can run both recursive and authoritative DNS on the same server using
different IP address.

> > 2. In a smaller ISP the nameservers themselves can get an 
> aggregate of
> > the ISP routing table and have internal routes tagged accordingly so
> > that the DNS server can throttle them. No rocket science there, the
> > provisions are already available in every single OS in use as a DNS
> > server in ISPs/Telcos. All this requires is a moderate level of
> > competence in the person who has designed the service.
> 
> Really? Ok educate me, how do you do this with Windows 2000 
> running MS dns?
> (telling people to use another server is not acceptable)
> 
> Geo.
> 

If Microsoft's products are broken, why souldn't I tell people to use
something else?

Thomas

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to