On Nov 2, 2012, at 4:05 AM, Juha Saarinen wrote:
Are the local open resolvers seen as a problem?
A combination of three things enable DNS reflection/amplification attacks:
1. Lack of anti-spoofing deployed at the customer aggregation edge (shameful in 2012).
2. Open DNS recursors (also shameful in 2012).
3. EDNS0 (necessary).
Before going on a chase for open recursors, it would be a wise investment of time and effort to ensure that one has implemented BCP84 anti-spoofing at one's customer aggregation edge. Without the ability to emit spoofed packets, the open recursors can't be abused in this way.
Also note that DNS reflection/amplification attacks can be initiated without utilizing open recursors, simply by sending spoofed packets directly to authoritative servers. So, deploying anti-spoofing should be the priority.
-----------------------------------------------------------------------
Roland Dobbins