Sitefinder II, the sequel...

Chris Woodfield rekoil at
Thu Jul 13 13:35:39 UTC 2006

Going off on something of a tangent, I'd be really curious what sort  
of efforts OpenDNS are making/will need to make in order to limit  
their servers' utility as a relay for amplification attacks (which  
I'm listening to a discussion on at IETF as I type). 

On Jul 13, 2006, at 8:08 AM, Patrick W. Gilmore wrote:

> On Jul 13, 2006, at 3:39 AM, Simon Waters wrote:
>> Most of those I know try to deploy recursive services as close as  
>> possible to
>> the client, avoiding where possible alternative views of the DNS, and
>> forwarding.
> Would that everyone did what the people you know do.
> Unfortunately, there are a few providers doing things like  
> outsourcing their recursive service to, say, their upstream, or  
> having one "node" of recursive servers anywhere in the world for  
> all their end users.  These providers violate the first part of  
> your sentence.
> The second part doesn't make any sense to me.  It seems that having  
> multiple, geographically disparate recursive name servers would be  
> more likely to present an "alternative [view] of the DNS".  (In  
> fact, I can prove that's true in at least some cases. :)  So you  
> are actually arguing -against- your first point.
> That said, no one has yet said why it is necessary, or even  
> desirable, to have a completely homogenous view of the world.
>> Perhaps time to ask Brad, Paul and Cricket what they think, and  
>> have answers
>> to their comments.
> Perhaps.  However, in the last DNS related thread, Paul made a  
> pretty strong claim (violating a protocol) and showed exactly  
> _ZERO_ facts to back it up, despite being asked at least five times  
> (by my count).
>> With automated responses to "bad things", it is usually best to  
>> minimise the
>> scope of the change. Similarly typo correction makes sense for  
>> URLs, but not
>> for most other uses of the DNS (hence the proviso you make to  
>> switch it off
>> if you use RBL, although I'd say switch it off for all email  
>> servers less you
>> start correcting spambot crud, our email servers make a DNS check  
>> on the
>> senders domain, that doesn't want correcting either), so the  
>> answer is
>> probably browser plug-in (although most browsers already try to  
>> guess what
>> you meant to some extent).
> Perhaps something as simple as a preference only 'correcting'  
> queries that begin with "www"?
> -- 
> patrick

More information about the NANOG mailing list