> > BCP38 is implimented at the gateway but not at every router) then how
> > exactly is locking down recursive servers so you can only use yours
going
> > to
> > solve anything?
>
> uh... caching maybe?... the second field of your answer section when using
> dig..

The flood is a flood of answers not queries, you spoof the source address of
a query with the address of your target, the target gets the response from
the dns server. A cache on the dns server just makes it a more efficient
response.

> no, its not, and it doesnt require that all internet sofware be rewritten,
> it means that they either need to be
> recompiled, or just have the dynamicly linked library they use for dns
> resolution to be replaced..

Ok fine, it would just mean that everyone on the planet would need to
replace all their internet enabled software with new versions. That'll
happen overnight.. I think it's still an unrealistic goal.

> i think its pretty obvious that locking down dns servers at least brings
the
> DNS attacks down to the same problem weve always had..
> that being good old fashioned udp packeting. and at that point.. why
bother
> using dns..

I have not seen a perfect solution yet, at best the solutions I've seen
mentioned eliminate this one flood vector. I would suggest that when
considering which one to choose we look at what we lose with each choice.
Eliminate spoofing and you lose virtually nothing, eliminate open recursive
servers and you have just created a really powerful control mechanism for
entities to control large sections of the internet since folks from those
sections won't be able to use anyone else's DNS servers or even run their
own (much like port 25 blocking limits who can run a mail server today). He
who controls dns controls the network.

Geo.

[ reply ]