> -----Original Message----- > From: Geo. [mailto:geoincidents@xxxxxxx] > Sent: April 2, 2006 10:31 > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Re: recursive DNS servers DDoS as a growing DDoS problem > > > 1. Resolvers and Authoritative nameservers must be separate and > > authoritative nameservers must have recursion turned off. Otherwise > > there is no way to throttle only recursive queries. > > Great, for small ISP's you just doubled the number of > machines they need to > dedicate to DNS. They can run both recursive and authoritative DNS on the same server using different IP address. > > 2. In a smaller ISP the nameservers themselves can get an > aggregate of > > the ISP routing table and have internal routes tagged accordingly so > > that the DNS server can throttle them. No rocket science there, the > > provisions are already available in every single OS in use as a DNS > > server in ISPs/Telcos. All this requires is a moderate level of > > competence in the person who has designed the service. > > Really? Ok educate me, how do you do this with Windows 2000 > running MS dns? > (telling people to use another server is not acceptable) > > Geo. > If Microsoft's products are broken, why souldn't I tell people to use something else? Thomas
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
