[nsp-sec] 700K *abused* resolver list? - mitigation notes

[Mike Lewinski]

I worked with a customer to test his fix for Microsoft DNS. Disabling 
recursion alone is sufficient to also stop root server record leakage, 
and that's fine for people running auth-only servers. However it seems 
that there is no way to restrict recursion by subnet in Windows DNS, 
which means that port 53 has to be externally blocked if recursion is 
needed.

This also means there is no safe hybrid caching/auth configuration for 
MS-DNS users. Fortunately I think that configuration is somewhat rare, 
though I have encountered at least one.

Another customer running a hybrid bind9 auth/recursive server reports 
that "additional-from-cache no;" hasn't broken anything yet. I'm taking 
his report with a grain of salt because I don't think he has that many 
resolver clients.

Mike