From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 48906138010 for ; Thu, 28 Mar 2013 20:54:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 53831E06FE; Thu, 28 Mar 2013 20:54:11 +0000 (UTC) Received: from mail-vc0-f173.google.com (mail-vc0-f173.google.com [209.85.220.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 10E75E066B for ; Thu, 28 Mar 2013 20:54:09 +0000 (UTC) Received: by mail-vc0-f173.google.com with SMTP id gd11so8090999vcb.4 for ; Thu, 28 Mar 2013 13:54:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=T6kBI2aT+AskWRX+5y4hcRAgXNb3eGAuHxnhT8f2vrs=; b=H4zAQzy2SSVM3gcLclrdy3WRDrP4ur0pUG+sbo3kC5MvXbZcHVLrtGcfVoi7I7uKXh tDyFQ4phAmVmPDBmIQiTansePxmHRYNeT7i8YXJ3N1MNxZ3gqBBO0ZUykS442QHpUriH Na6BefEWUoDFOsSDgHcxc+Tg8IEgCWDphHsFL7s9miKah451TYqlgoXgnZz/qfRUJjao j6HNs12McR4NR0df5mSLPYiP5BDcinN469p6iSuY8xVormUzDIJevtMODOVyOIwYM/Xb lJQ8mTyqlsBa5wDnrvVah5O+vsKWMKsDE31ZkiKpscj9jWyY/hJjwAjthxzC0BZngOjM s+Ig== X-Received: by 10.220.119.200 with SMTP id a8mr39473vcr.38.1364504049163; Thu, 28 Mar 2013 13:54:09 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: paul.hartman@gmail.com Received: by 10.58.250.66 with HTTP; Thu, 28 Mar 2013 13:53:49 -0700 (PDT) In-Reply-To: <5154A1BE.7010308@gmail.com> References: <51540497.5020008@smash-net.org> <515463E0.60607@gmail.com> <515496FD.70507@gmail.com> <51549C2D.9080005@gmail.com> <5154A1BE.7010308@gmail.com> From: Paul Hartman Date: Thu, 28 Mar 2013 15:53:49 -0500 X-Google-Sender-Auth: BCzJr1nplQklulI9OaswnNbfFu8 Message-ID: Subject: Re: [gentoo-user] How to prevent a dns amplification attack To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: f4eaaf91-0346-4d4a-82f6-dbf33bbd753e X-Archives-Hash: 17a629ba99007f9d91d638aed3fc8ac1 On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon wrote: >>> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP >>> knows how to do it right and the user does not. >> >> Generally true, though I've known people to choose not to use ISP caches >> owing to the ISP's implementation of things like '*' records, ISPs >> applying safety filters against some hostnames, and concerns about the >> persistence of ISP request logs. > > I get a few of those too every now and again. I know for sure in my case > their fears are unfounded, but can't prove it. Those few (and they are > few) can go ahead and deploy their own cache. I can't stop them, they > are free to do it, they are also free to ignore my advice of they choose. In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden "helper" website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. Thanks for being one of the good guys. :)