As for our recursive nameservers, we've got about 3 different sets of IP addresses, for various legacy reasons. All of these are being hit with a large number of queries (that are as far as we can tell, legitimate) from people outside our network who are using our resolvers for what looks like a number of different reasons. Some of the resolvers have been on these addresses for over 10 years, so it's not surprising.

There's going to be quite a challenge to lock those open resolvers down, and we're debating how to do it at the moment - the industry comms process will be interesting, I'm sure, and I'm sure many people on this list will have a busy day fixing up old boxes that can't when our messages have been ignored :-)

Would be interested in any experience people have with something similar..

In the past I've split off legacy IPs on resolvers to a different server and installed a completely open Bind resolver on it. Log IPs and contact people who are under your control (on your network I guess).

Then hack bind to return one IP address as an answer to any standard query. We just did A and MX. That IP points to a server under your control. Install Apache, postfix, courier-pop3d, etc on there and serve various types of bogus data telling people what to do.

It worked well for me. YMMV. I suppose in your case you might need to somehow redirect DNS requests that originate off-net to this other nameserver at your borders or configure this DNS server to handle off-net requests a bit differently. From memory bind will support that.

Also, I can't recall if its been mentioned here before but we used a pretty simple approach to split recursive from�authoritative�nameservers without breaking any customer DNS. It worked well for us. If anyone wants details feel free to ask. It�truly�didn't seem that hard.

Dave