> -----Original Message-----
> From: Geo. [mailto:geoincidents (at) nls (dot) net [email concealed]]
> Sent: April 2, 2006 10:31
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
>
> > 1. Resolvers and Authoritative nameservers must be separate and
> > authoritative nameservers must have recursion turned off. Otherwise
> > there is no way to throttle only recursive queries.
>
> Great, for small ISP's you just doubled the number of
> machines they need to
> dedicate to DNS.

They can run both recursive and authoritative DNS on the same server using
different IP address.

> > 2. In a smaller ISP the nameservers themselves can get an
> aggregate of
> > the ISP routing table and have internal routes tagged accordingly so
> > that the DNS server can throttle them. No rocket science there, the
> > provisions are already available in every single OS in use as a DNS
> > server in ISPs/Telcos. All this requires is a moderate level of
> > competence in the person who has designed the service.
>
> Really? Ok educate me, how do you do this with Windows 2000
> running MS dns?
> (telling people to use another server is not acceptable)
>
> Geo.
>

If Microsoft's products are broken, why souldn't I tell people to use
something else?

Thomas
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?Á0?I0?
² 
©0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
051013215446Z
061013215446Z0B10UThawte Freemail Member10 *?H?÷


thomas (at) zango (dot) com0 [email concealed]?0
 *?H?÷



0?©;?Ù$>Î|i¾¶Ã²bñz?sv?aDFï½M·Ò4?à6­p?5[JûÞzJb5{4Aÿ?¥1?¼ÕwUDp?KN????5H­yåÓ?0#B1SKMZúª~­Ò^:?eì??¶Yý?êϱÎV7??nQz<Åf·ØåäÉ

£-0+0U0thomas@z
ango.com0U

ÿ00
 *?H?÷


?9S}$ÿî%Õòke?®víðSl
¼ã¨üVõÿ±¿çs?³¬???ìC¡Ip/àrðÁúÞ?aTg¬nצ­óå¿O2§,KÉrß{â;ê¿Ëzp»Æçåßä??fÙ¾Û[
;ãgõLäØtaAçÝ? 0?-0?? 

0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
960101000000Z
201231235959Z0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]?0
 *?H?÷



0?Ôi×Ô°?d[qéGØQ¶êr?°?^}-
{ß?%u(t:B,c'??{Kï~??ê£Ý¹Î?dÂnD¬|æèMq@8¦£?xöù??^­êÀ^vëÙ£]nz|¥KU)??&Õj»8$j?DZڣ??ýyÛåZĹ

£00U

ÿ0

ÿ0
 *?H?÷


Çì?~Nøõ?¥gb*¤ðM`Ðo`Xa¬&»R5\Ï0û¨J??bB#?ôºd?¬G)ߝ?^Òl`q\¢¬Üy
ãçnGµ
(èä?ýô¦Ù|±øÜ_#& ??sÐÞC©?%òæ?/Êþ¦«?u?ÝQ?käøÑÎw¢0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?Ï0?Ë

0i0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA©0 + ?
¼0 *?H?÷

1 *?H?÷


0 *?H?÷

1
060404144001Z0# *?H?÷

13?y?J?w lÈÖ¸åµAbÊ0g *?H?÷

1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0+0
*?H?÷
0x +

?71k0i0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA©0z*?H?÷

1k i0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA©0
 *?H?÷



??TSrì£ÆL¡ÕµF¼ta6õ;rîsëùþ8<:X!w?}oá*?"|ìð&¹?ùe?M(»fñsç7~Ò§
Ù@*ÌuL/????9q0JÒ*?·»ôutJBKËÂG.SS¾Û
¬?ÍT÷ü??+[?Gs?¡½O

[ reply ]