1 |
> I know that anyone can use any DNS server that's exposed to the internet, |
2 |
> also for free, so what's the big deal about google? |
3 |
|
4 |
IMO a DNS server configured that way is poorly configured (unless you're |
5 |
actually trying to run a public service, as google is). Instead the use |
6 |
of BINDs allow-recursion statement (or equivalent) should limit |
7 |
recursion to only the ISPs customers. So, anyone can use the DNS to look |
8 |
up any hosted zones, but only the ISPs customers can lookup other zones. |
9 |
The network will need anti-spoofing controls as well. FWIW bigger ISPs |
10 |
will split their DNSes, with some dedicated to hosting zones and others |
11 |
dedicated to recursive lookups. |
12 |
|
13 |
Limiting recursion helps with amplifications attacks. |