1
Open resolver
Question asked by clive hudson - December 14, 2014 at 3:50 AM
Answered
I'm in the process of using simpledns as a domain blacklist filter. I have a list of 4 million adult sits that I block. The use of regular expression filters has made this simpler.  At present i forward my servers to google, Amazon, opendns and ovh a French company
My main concern is that too many people will use the service and the public DNS servers will start blocking my DNS requests,
 
the alternative is using windows 2012 servers running simpledns as open resolvers, the advantage is that I will not throttled by any other public DNS servers 
 
running an open resolver scare me due to cache poising, I did do a test to test how random port selection where and the results were good
 
however the big question is this ? Can simpledns servive as a open resolver and not be compromised. A cache poison is my biggest fair, I've already taken measures to stop amplification attacks via mutiple firewall and active monitoring
 
Regards Marko
 

1 Reply

Reply to Thread
0
JH Software Replied
January 7, 2015 at 9:40 AM
Employee Post
>> Can simpledns servive as a open resolver and not be compromised.
 
First - running an open resolver is always a bad idea.
 
Simple DNS Plus is certainly resilient - but given enough time and number of requests - any open resolver can probably be compromised.
 
But if your purpose is only to host a black list - then why would you run as open resolver (allow recursion to outside IP addresses)?
 

Reply to Thread