Anurag Bhatia m...@anuragbhatia.com wrote:
Now I see presence of some (legitimate) DNS forwarders and hence I don't
wish to limit queries.
You are going to have to change your mind about this one. Open recursive
resolvers are a really bad idea, unless you can afford a lot of time and
http://www.team-cymru.org/Services/Resolvers/
The Internet will be a better place with less open resolvers around.
--SiNA
On Dec 12, 2013 5:32 AM, Tony Finch d...@dotat.at wrote:
Anurag Bhatia m...@anuragbhatia.com wrote:
Now I see presence of some (legitimate) DNS forwarders and hence I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Also:
http://openresolverproject.org/
Also, open resolvers are harmful to the Internet, so it would not surprise
me to see organizations to begin blocking any communication with them by
published lists open recursive resolvers.
- - ferg.
On
The internet will be better without ISP refusing to apply BCP38.
end of comment
This is a pointless argument since the majority of the industry
prefer going after the flavor of the month UDP flood instead of
curbing the problem at its source once and for all.
-
Alain Hebert
On Dec 12, 2013, at 3:27 PM, Alain Hebert aheb...@pubnix.net wrote:
The internet will be better without ISP refusing to apply BCP38.
end of comment
This is a pointless argument since the majority of the industry
prefer going after the flavor of the month UDP flood instead of
Hello everyone
I noticed some issues on one of DNS server I am managing. It was getting
queries for couple of attacking domains and server was replying in TCP with
3700 bytes releasing very heavy packets. Now I see presence of some
(legitimate) DNS forwarders and hence I don't wish to limit
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
I am sure I am not first person experiencing this issue. Curious to hear
how you are managing it. Also under what circumstances I can get a
legitimate TCP query on port 53 whose reply exceeds a basic limit of less
then 1000 bytes?
I'm not a DNS
Hi ML
Yeah I can understand. Even DNSSEC will have issues with it which makes me
worry about rule even today.
On Wed, Dec 11, 2013 at 11:49 PM, ML m...@kenweb.org wrote:
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
I am sure I am not first person experiencing this issue. Curious to hear
I think is better idea to rate-limit your responses rather than
limiting the size of them.
AFAIK, bind has a way to do it.
.as
On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia m...@anuragbhatia.com wrote:
Hi ML
Yeah I can understand. Even DNSSEC will have issues with it which makes me
You don't mention what software you're using. If you're using BIND, ask
this question on bind-us...@isc.org. There is indeed a solution.
Doug
On 12/11/2013 10:06 AM, Anurag Bhatia wrote:
Hello everyone
I noticed some issues on one of DNS server I am managing.
Hi Doug
I am using PowerDNS recursor.
On Thu, Dec 12, 2013 at 12:51 AM, Doug Barton do...@dougbarton.us wrote:
You don't mention what software you're using. If you're using BIND, ask
this question on bind-us...@isc.org. There is indeed a solution.
Doug
On 12/11/2013 10:06 AM, Anurag
If you are using BIND, take a look at:
https://kb.isc.org/article/AA-01000
cv
On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia m...@anuragbhatia.com wrote:
Hello everyone
I noticed some issues on one of DNS server I am managing. It was getting
queries for couple of attacking domains and
dns-operations list is likely best suited for this question, but...
If using BIND 9.9.4 you can set the system to use TCP for repeated queries to
prevent spoofed ones from being replied to (ie: use yourself as an amplifier).
There's lists of domains published that are used in abuse, eg:
https://kb.isc.org/article/AA-01000
On Wed, Dec 11, 2013 at 2:17 PM, Arturo Servin arturo.ser...@gmail.comwrote:
I think is better idea to rate-limit your responses rather than
limiting the size of them.
AFAIK, bind has a way to do it.
.as
On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia
14 matches
Mail list logo