[snip] >> > > > I haven't heard anyone talk about requiring that users use their ISP's > DNS server. Just that they should not be able to use any random DNS > server on the internet. This is standard practice in Wireless and other ISPs which operate pay as you go service (hotels, conferences, hotspots of all varieties and aggregators that serve them). The reason is that people ran OpenVPN and other VPN stacks on port udp/53 without logging in and paying. Frankly - nothing but a knee jerk reaction. DNS is one of the services that easiest to transparently proxy. The same result could have been achieved if any traffic to udp/53 was redirected to the local name server (at about the same performance cost as a filter entry). At the same time people would have had the service working even if they had a remote DNS server configured in for administrative reasons. Similarly, as far as ISP servers are concerned it is possible to mitigate the recursion amplification problem completely without denying the service to a limited number of people outside the ISP who want to query the ISP resolvers for debugging and other purposes. All it takes is to throttle traffic from the resovers to outside the ISP network to a reasonably low value. Depending on the ISP this is usually in the low Kbits. All it takes is a moderate amount of competence in the ISP: 1. Resolvers and Authoritative nameservers must be separate and authoritative nameservers must have recursion turned off. Otherwise there is no way to throttle only recursive queries. 2. In a smaller ISP the nameservers themselves can get an aggregate of the ISP routing table and have internal routes tagged accordingly so that the DNS server can throttle them. No rocket science there, the provisions are already available in every single OS in use as a DNS server in ISPs/Telcos. All this requires is a moderate level of competence in the person who has designed the service. 3. Similarly, a larger ISP which has more resources can isolate the servers in something like a modified RFC2270 leaf network receiving default + local instead of default only and do the same on the router in front of them. Once again all this requires is the person who has done the DNS design to possess some moderate level of network competence instead of engaging in massive clusterf^Hing. 4. While implementing both 2 and 3 costs money both of them save resources so on the balance of things they are worth it even without getting into the aspects of mitigating DDOS attacks. They are not that hard to implement either. [snip] -- A. R. Ivanov E-mail: aivanov@xxxxxxxxxx WWW: http://www.sigsegv.cx/ pub 1024D/DDE5E715 2002-03-03 Anton R. Ivanov <ai1-n@xxxxxxxxxx> Fingerprint: C824 CBD7 EE4B D7F8 5331 89D5 FCDA 572E DDE5 E715
