| 1 |
> I know that anyone can use any DNS server that's exposed to the internet, |
| 2 |
> also for free, so what's the big deal about google? |
| 3 |
|
| 4 |
IMO a DNS server configured that way is poorly configured (unless you're |
| 5 |
actually trying to run a public service, as google is). Instead the use |
| 6 |
of BINDs allow-recursion statement (or equivalent) should limit |
| 7 |
recursion to only the ISPs customers. So, anyone can use the DNS to look |
| 8 |
up any hosted zones, but only the ISPs customers can lookup other zones. |
| 9 |
The network will need anti-spoofing controls as well. FWIW bigger ISPs |
| 10 |
will split their DNSes, with some dedicated to hosting zones and others |
| 11 |
dedicated to recursive lookups. |
| 12 |
|
| 13 |
Limiting recursion helps with amplifications attacks. |
Archives