23 Jan
2009
23 Jan
'09
10:59 a.m.
Andy Smith wrote:
I would encourage you all to firewall off your
nameservers as
appropriate. There is typically very little reason to allow the
Internet to talk to your resolver, and there have been a number of
instances recently of people working out how to poison caches and
amplify spoofed DNS traffic.
I don't think the current attacks going about matter if it's resolver or
not, as some are poorly configured and return more data then was sent
just with the root list alone.
Make sure your DNS configs are in order as well as firewall configs.
--
Best regards,
Duane
http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Global Communication for the 21st Century
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."