On-going Internet Emergency and Domain Names
David Ulevitch
davidu at everydns.net
Wed Apr 4 18:58:04 UTC 2007
Paul Vixie wrote:
>> ...
>> Back to reality and 2007:
>> In this case, we speak of a problem with DNS, not sendmail, and not bind.
>>
>> As to blacklisting, it's not my favorite solution but rather a limited
>> alternative I also saw you mention on occasion. What alternatives do you
>> offer which we can use today?
>
> on any given day, there's always something broken somewhere.
>
> in dns, there's always something broken everywhere.
>
> since malware isn't breaking dns, and since dns not a vector per se, the
> idea of changing dns in any way to try to control malware strikes me as
> a way to get dns to be broken in more places more often.
I'd say it's a way to get DNS to be more inconsistent and it's likely to
happen. Broken is both in the eye of the beholder and in the eye of the
end-user.
> but, isp's responsible for large broadband populations could do this in their
> recursion farms
That's right. And it will perpetuate the arms race of whitehats vs.
blackhats. But that's no reason not to add intelligence into the DNS --
either in-band or out-of-band. Most of us already do some level of DNS
intelligence out-of-band (passive dns, uribls, etc) and the power of
doing it in-band is a logical next step.
> fundamentally, this isn't a dns technical problem, and using dns technology
> to solve it will either not work or set a dangerous precedent. and since
> the data is authentic, some day, dnssec will make this kind of poison
> impossible.
Unfortunately, that day, if it ever comes, will come after bot herders
stop using DNS to manage their botnets because other mitigation
strategies will have already forced them to move on.
-David
More information about the NANOG
mailing list