news from Google
Danny McPherson
danny at tcb.net
Mon Dec 7 01:30:53 UTC 2009
I think one of the things that concerns me most with Google
validating and jumping on the DNS "open resolver" bandwagon
is that it'll force more folks (ISPs, enterprises and end
users alike) to leave DNS resolver IP access wide open.
Malware already commonly changes DNS resolver settings to
rogue resolvers, and removes otherwise resident malcode from
the end system to avoid detection by AV and the like.
One of the primary recommendations I give to enterprises is to
force use of internal resolvers, and log all other attempted
DNS resolution queries elsewhere, it's a quick way to detect
some compromised systems. My personal recommendation is that
ISPs do the same, but that's where network neutrality issues
enter the picture. Of course, some of the DNS NXDOMAIN and
similar "synthesis" they've been performing may perturb some
users, and hence Google's service (and _many before) are
presumably welcomed by casual (or expert) end users.
So, DNSSEC deployment finally gets close (with validation
models mostly just to the resolver) -- primarily to deal with
DNS data integrity issues in the infrastructure - yet compromised
end systems are simply configured to use rogue resolvers,
obviating much of the benefit of the added complexity DNSSEC
brings, with "dumb pipe" providers simply enabling the now
nefarious transactions..
And this concern is entirely orthogonal of all the issues that
arise once Google (and everyone else) decide that _overriding
application-level DNS settings (e.g., for Chrome) are perfectly
reasonable -- not to mention the value they find in operation of
DNS infrastructure from a data mining (e.g., NXDOMAIN data ==
marketing intelligence/$$) that many other folks have long ago
realized...
-danny
More information about the NANOG
mailing list