[Atlas-anchors-pilot] Services on Atlas anchors as measurement targets
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Mar 8 12:14:12 CET 2013
On Fri, Mar 08, 2013 at 12:01:45PM +0100,
john <jbond at ripe.net> wrote
a message of 61 lines which said:
> As a looking glass can also be viewed as an open resolver.
Not at all. The big problem with DNS open resolvers is that they run
over UDP so there is zero guarantee the source IP address is genuine,
allowing reflection attacks (RFC 5358). Using HTTP, therefore TCP,
makes the DNS looking glass immune to these problems (RFC 5961).
Another solution to the specific problem of reflection attacks would
be to have an open resolver allowing only TCP (AFAIK, it is not
possible with existing server software, but you can always filter out
UDP/53 inbound).
More information about the Atlas-anchors-pilot
mailing list