[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Fri Dec 27 05:04:35 EST 2013


On Dec 27, 2013, at 4:50 PM, Gert Doering <gert at greenie.muc.de> wrote:

> I'd terminate my contract if my ISP would take away the ability to query "foreign" DNS servers (usually done to troubleshoot things), to run 
> traceroutes, to ping stuff, etc.

Neither you nor I are typical broadband access customers; the overwhelming majority of broadband access customers have no need to use DNS servers beyond the recursive DNS servers provided by their ISPs and/or Google DNS or OpenDNS, and in fact are exposed to danger in the form of various malware which changes the recursive DNS settings on their computers by unfettered DNS access.  Unrestricted recursive DNS access is in fact inimical to the overwhelming majority of users.

Exceptions should always be granted for 'advanced' users who want to utilize DNS servers outside their broadband operator's own network, and these cases can be accommodated in a scalable manner via automation; but the overall security posture of the Internet as a whole and of any given ISP's broadband users specifically would be greatly increased if the default policy were to limit recursive DNS service to the DNS recursors provided by the broadband operator and a few reputable services like Google and OpenDNS.

Another side-effect would be to somewhat ameliorate the effect of DNS reflection/amplification attacks.  Broadband operators would still need to work with their transits/peers to 'push back' the attack traffic, but this would still be better than trying to use ill-suited QoS mechanisms to deal with it.

The bit about traceroutes and pings is a red herring, of course.  I'm not suggesting that they ought to be restricted, apart from aggregate policing of the relevant 'inbound' traffic in order to minimize the effects of abuse.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20131227/d73fad5f/attachment-0001.sig>


More information about the cisco-nsp mailing list