From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 939A4138010 for ; Fri, 29 Mar 2013 23:02:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C7ACAE0B93; Fri, 29 Mar 2013 23:01:57 +0000 (UTC) Received: from icp-osb-irony-out5.external.iinet.net.au (icp-osb-irony-out5.external.iinet.net.au [203.59.1.221]) by pigeon.gentoo.org (Postfix) with ESMTP id B7678E0996 for ; Fri, 29 Mar 2013 23:01:55 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AggFAAgdVlF8lGEN/2dsb2JhbABDgzu/QoEKFnSCHwEBBXgRCw0LCRYPCQMCAQIBRRMGAgEBiA/ADY8uFoMqA4h4jXOGASOKZ4MYLw X-IronPort-AV: E=Sophos;i="4.87,375,1363104000"; d="scan'208";a="110801078" Received: from unknown (HELO moriah.localdomain) ([124.148.97.13]) by icp-osb-irony-out5.iinet.net.au with ESMTP; 30 Mar 2013 07:01:54 +0800 Received: from localhost (localhost [127.0.0.1]) by moriah.localdomain (Postfix) with ESMTP id 6C1E35E4F5 for ; Sat, 30 Mar 2013 07:01:49 +0800 (WST) X-Virus-Scanned: amavisd-new at lan.localdomain Received: from moriah.localdomain ([127.0.0.1]) by localhost (moriah.lan.localdomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7nHn1dv7FyN for ; Sat, 30 Mar 2013 07:01:37 +0800 (WST) Received: from [192.168.44.3] (moriah [192.168.44.3]) by moriah.localdomain (Postfix) with ESMTP id 70EFF1B90B for ; Sat, 30 Mar 2013 07:01:37 +0800 (WST) Message-ID: <51561D51.6090405@iinet.net.au> Date: Sat, 30 Mar 2013 07:01:37 +0800 From: William Kenworthy User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130320 Thunderbird/17.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack References: <51540497.5020008@smash-net.org> <5154A1BE.7010308@gmail.com> <201303290049.23399.peter@humphrey.ukfsn.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 2bded46f-212c-4cab-a497-e8c7beb3f7bc X-Archives-Hash: af6f03c78f0977c0538e336b39135f0b On 30/03/13 06:34, Paul Hartman wrote: > On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey > wrote: >> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: >> >>> In my case, my ISP's DNS servers are slow (several seconds to reply), >>> fail randomly when they should resolve, return an IP (which goes to >>> their ad-laden "helper" website if you are using a web browser) when >>> they should instead return nxdomain, and they have openly admitted to >>> selling customer DNS lookup history to marketers for targeted >>> advertising. >> >> >> >> That is just evil. Have you no alternative to this ISP? > > Not really. > > I have a 100 megabit connection through the cable company; my only > wired alternative is DSL (1.5 mbit for almost half the price I'm > paying for 100mbit). Cellular or satellite are not viable options for > me because of comparatively poor value, latency and miniscule data > usage caps. > Can you do a tunnel to a cheap vsp instance that can access an external dns, and feed all your dns queries through it? Considering the problems with your existing setup, that looks attractive and you can have sane fallbacks if neccessary. I tried this to avoid the "Australia Tax" when online shopping overseas and the small additional latency didnt seem to be a problem. BillK