[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Fri Dec 27 08:17:14 EST 2013 

On Dec 27, 2013, at 7:00 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> Most people on this list might not be typical access customers -- they might be running their own resolver to get proper DNSSEC -- but that
> still doesn't make it okay for an ISP to do things most of their customers wouldn't notice

Of course it does, when those things don't inhibit the ability of customers to do the things they want to do.

ISPs should run their own DNSSEC-capable recursive resolvers, anyways.

The only folks who need a more open policy are those who're capable of figuring out what default policies are in place and of requesting to opt out.

> Think Phorm et cetera. It's a slippery slope.

No.  This is not a valid analogy, nor is it a slippery slope from implementing reasonable access policies to actively tampering with DNS responses.

> Though I'm not unsympathetic to your arguments, one could actually use the same reason to block port 80/tcp; much malware comes in this way.

Straw man, hyperbole, not a valid analogy.

> I'm with Gert here; we don't need to further inhibit the concept of end-to-end and any kind of filtering needs to be considered very
> closely.


Making the default limiting recursive DNS to locally-operated recursors plus OpenDNS and Google DNS, plus the option to opt out for 'advanced users' *is* 'considered very closely'.

> Inbound filtering of DNS responses should at most be a _temporary_ measure to combat a specific DoS attempt.

For consumer broadband access networks, this is a harmful and counterproductive stance.  People's credit is being ruined, and their ability to access Internet resources is being impeded.  A default policy limiting recursive DNS service to local recursors plus Google DNS and OpenDNS, with the option for 'advanced' users to opt out is perfectly reasonable, does not break the Internet, and is no more of a 'slippery slope' than is anti-spoofing.

Note that these reasonable, well-thought-out, default policies (with opt-out provisions) are mooted for endpoint networks like consumer broadband access networks, *not* for transit networks.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the cisco-nsp mailing list