On Jun 11, 2013, at 12:53 PM, Nathan Ward wrote:
Something worth noting that I haven't seen mentioned in this thread so far (I skim read it) - most of these open recursor attacks, that I've seen, are for ANY?isc.org - I assume because isc.org have a pretty large zone.
Some, not 'most'.
You might want to as a first step block those queries at your border, if you have the facility to do so.
Not optimal - breaks qmail, for example. Blocking ANY queries for specific domains is sometimes the best thing to do tactically during an attack, but it shouldn't be enacted as a policy. And it's important to block undesirable traffic before it reaches the servers.
Instead, installing RRL, utilizing other DNS defensive mechanisms, makes more sense.
Also, here's an example of the sort of logical functional separation which should feature in DNS architectures:
https://www.box.com/s/72bccbac1636714eb611
-----------------------------------------------------------------------
Roland Dobbins