[c-nsp] rate limit dns

Peter Rathlev peter at rathlev.dk
Fri Dec 27 07:00:43 EST 2013 

On Fri, 2013-12-27 at 10:04 +0000, Dobbins, Roland wrote:
> On Dec 27, 2013, at 4:50 PM, Gert Doering <gert at greenie.muc.de> wrote:
> > I'd terminate my contract if my ISP would take away the ability to
> > query "foreign" DNS servers (usually done to troubleshoot things),
> > to run traceroutes, to ping stuff, etc.
> 
> Neither you nor I are typical broadband access customers;

Most people on this list might not be typical access customers -- they
might be running their own resolver to get proper DNSSEC -- but that
still doesn't make it okay for an ISP to do things most of their
customers wouldn't notice or things where these customers wouldn't know
the cause (i.e. the ISP) of some possibly noticable consequences.

Combine this benevolent filtering with an ISP supplied caching resolver
that "helps" you by giving "relevant" results if you made a "spelling
error". Think Phorm et cetera. It's a slippery slope.

> the overwhelming majority of broadband access customers have no need
> to use DNS servers beyond the recursive DNS servers provided by their
> ISPs and/or Google DNS or OpenDNS, and in fact are exposed to danger
> in the form of various malware which changes the recursive DNS
> settings on their computers by unfettered DNS access.  Unrestricted
> recursive DNS access is in fact inimical to the overwhelming majority
> of users.

Though I'm not unsympathetic to your arguments, one could actually use
the same reason to block port 80/tcp; much malware comes in this way.

> Exceptions should always be granted for 'advanced' users who want to
> utilize DNS servers outside their broadband operator's own network,
> and these cases can be accommodated in a scalable manner via
> automation;

I'm afraid many service providers would not see the benefit of
implementing this to cater to what is probably < 1% of their customer
base. And the bean counters might want to charge extra for this
"service", like many providers do with static IP addresses or reverse
DNS records.

I'm with Gert here; we don't need to further inhibit the concept of
end-to-end and any kind of filtering needs to be considered very
closely. Inbound filtering of DNS responses should at most be a
_temporary_ measure to combat a specific DoS attempt.

Just my two cents of course. :-)

-- 
Peter

More information about the cisco-nsp mailing list