Re: Great Suggestion for the DNS problem...?

• From: Florian Weimer
• Date: Tue Jul 29 03:55:58 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

* Paul Vixie:

>>> Listen on 200 random fake ports (in addition to the true query ports);

> at first glance, this is brilliant, though with some unimportant nits.

It doesn't work OOTB for most users because the spoofed packets never
reach the name server process if you don't use the ports to send packets
to the authoritative server which is spoofed--the wonders of stateful
firewalling.

• References:
  • Great Suggestion for the DNS problem...? Jay R. Ashworth
  • Re: Great Suggestion for the DNS problem...? Paul Vixie

• Prev by Date: Re: Great Suggestion for the DNS problem...?
• Next by Date: Re: Federal Government Interest in your patch progress
• Date Index
• Thread Index
• Author Index
• Historical