North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Domain Name System protection

  • From: Suresh Ramasubramanian
  • Date: Mon Aug 16 01:31:25 2004 
Joe Shen wrote:
We noticed there is continous name resolution requests
from IP address outside of our address pool and also
there is requests not conforming to DNS documents (
like those from 10/8, 192.168/16 or something for
microsoft proxy server name). We think these request
waste our resource and we don't want these system
stable, secure and high performance.
If the resolver caches are only supposed to be accessed from your IP space, I am sure you can easily throw in a router ACL to accept connections on port 53 only from these IPs.

Oh, and filter out bogons at your borders while you are at it (like for example rfc1918 source addresses from outside your network)

srs