[prev in list] [next in list] [prev in thread] [next in thread] 

List:       djbdns
Subject:    Re: Proxy DNS servers should not listen on publically reachable IP
From:       "Rob Mayoff" <mayoff () dqd ! com>
Date:       2001-04-28 14:36:09
[Download RAW message or body]

> You are conflating the access controls imposed by the proxy server with
> whether or not the machine does work and incurs costs in response to datagrams
> that it receives from arbitrary third parties.  All that .../root/ip controls
> is whether or not "dnscache" responds to queries.  It *doesn't* stop the
> queries from arriving in the first place.

You cannot stop people from sending UDP packets to port 53 of your
Internet-routable IP addresses. But you can block the packets at your
router, or block them with a kernel packet filter, or ignore them by not
running a program on port 53. Or you can run a program on port 53 but
have it ignore packets with unauthorized source addresses.

All four of those approaches are likely to have the same effect: people
will stop sending UDP packets to port 53 of your Internet-routable IP
addresses. There is a cost in CPU, memory, and network bandwidth to
using the last approach. (There is likely to be no disk cost because
the root/ip disk blocks are probably cached anyway.) It is up to each
administrator to decide whether that cost is higher than the cost of
switching to one of the other approaches.

Of course you still have to worry about spoofed source addresses in a
DoS attack.  That needs to be solved by filtering on spoofed source
addresses at the network border anyway.

[prev in list] [next in list] [prev in thread] [next in thread]