news from Google

Danny McPherson danny at tcb.net
Mon Dec 7 01:30:53 UTC 2009


I think one of the things that concerns me most with Google 
validating and jumping on the DNS "open resolver" bandwagon 
is that it'll force more folks (ISPs, enterprises and end 
users alike) to leave DNS resolver IP access wide open.  
Malware already commonly changes DNS resolver settings to 
rogue resolvers, and removes otherwise resident malcode from 
the end system to avoid detection by AV and the like.  

One of the primary recommendations I give to enterprises is to 
force use of internal resolvers, and log all other attempted
DNS resolution queries elsewhere, it's a quick way to detect 
some compromised systems.  My personal recommendation is that 
ISPs do the same, but that's where network neutrality issues 
enter the picture.  Of course, some of the DNS NXDOMAIN and 
similar "synthesis" they've been performing may perturb some 
users, and hence Google's service (and _many before) are 
presumably welcomed by casual (or expert) end users.

So, DNSSEC deployment finally gets close (with validation 
models mostly just to the resolver) -- primarily to deal with 
DNS data integrity issues in the infrastructure - yet compromised 
end systems are simply configured to use rogue resolvers, 
obviating much of the benefit of the added complexity DNSSEC
brings, with "dumb pipe" providers simply enabling the now
nefarious transactions..

And this concern is entirely orthogonal of all the issues that
arise once Google (and everyone else) decide that _overriding 
application-level DNS settings (e.g., for Chrome) are perfectly
reasonable -- not to mention the value they find in operation of
DNS infrastructure from a data mining (e.g., NXDOMAIN data ==
marketing intelligence/$$) that many other folks have long ago
realized...

-danny



 







More information about the NANOG mailing list