DNS cache poisoning attacks -- are they real?

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

bmanning at vacation.karoshi.com wrote:
> On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:
> 
<snip>
> 
> 	er... common best practice for YOU... perhaps.
> 	dnsreport.com is apparently someone who agrees w/ you.
> 	and i know why some COMMERCIAL operators want to squeeze
> 	every last lira from the services they offer...
> 	but IMRs w/ unrestricted access are a good a valuable tool
> 	for the Internet community at large.
> 
> 	IMR? - you know, an Interative Mode Resolver aka caching server.
> 
> 
>>Joe
> 
> 
> --bill
> 
> 

Thanks for the feedback, bill and all else who have responded.

Just want to clarify -- Thats NOT my position, any resolvers (not like 
thats a great many big important ones like others here can attest to) I 
have run were not purposefully closed off from anyone (who was not being 
abusive).

Security is critical, but I am from the school that advocates leaving 
open that which

* may be usefull to others

* does not cost me {much} - cost is in terms of {money | cpu | ram | bw 
| mgmt | what have you}

* takes extra effort to close off

* Has no recent history of badness (insert your definition for "recent")

* Is easily verifiable (you should know real quick if your DNS cache is 
poisoned)

* avoids issues on how to make things work now that you have screwed it 
all up by denying resolving to all [insert all corner cases here] 
(simply as an example)

Easy to make a road, hard to make a prison.

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]