said by USAccess:what happens when a dynamic IP updates, the user loses all internet connectivity (assuming most users don't know the IP address of every website they with to visit)?
Just because your competitors use open recursion, doesn't mean it's something you absolutely must do as well. As others (and myself) have stated, open recursive DNS servers are tricky to manage. Even when you rate limit, you can get very high amplification factors if you know what you're doing and create much more traffic than what you send.
Part of your business is making it easy for users to update their IP stored in your database so they can always access your service (such as with a mobile app or short URL).
I meant restricting access to your DNS server for queries (by paying customers), not forcing the user to remember the IP address of the website they want to visit.
If you aren't IP restricting, then how do you enforce people to pay for service? If anyone can openly query your DNS server then they don't need to pay? Unless you're giving different results based on the source IP and whether it's in your billing database or not.
the rules you reference in the github repo link are of no use. Majority of people who exploit open/recursive DNS servers do so with spoofed source IP's. This attack vector does not allow for much other value if you can't spoof the IP of your intended victim (unless you want to just play around and create traffic to many destinations for no apparent reason). Most intended victims are not exploiters, therefore they will never be on a common publicly available list of malicious activity.
said by USAccess:I understand you would like to contribute to dialog on this matter, but your information here is just blatantly wrong. You can openly recurse on all of our competitors.
I'm contributing dialog to the issue you asked the community about in your opening post. You are asking why some ISP's are blocking traffic to your services, there's no other explanation other than for malicious activity. ISP's need to go out of their way to block traffic, so there needs to be a reason more than one did this. How you can claim any of the information I've contributed is "blatantly wrong" is nonsense. Do some traffic sampling on your interfaces, Run wireshark on your sample, and you will quickly be able to find malicious network activity to your server, its almost a guarantee with an open DNS server.