On-going Internet Emergency and Domain Names

David Ulevitch davidu at everydns.net
Wed Apr 4 18:58:04 UTC 2007


Paul Vixie wrote:
>> ...
>> Back to reality and 2007:
>> In this case, we speak of a problem with DNS, not sendmail, and not bind.
>>
>> As to blacklisting, it's not my favorite solution but rather a limited
>> alternative I also saw you mention on occasion. What alternatives do you
>> offer which we can use today?
> 
> on any given day, there's always something broken somewhere.
> 
> in dns, there's always something broken everywhere.
> 
> since malware isn't breaking dns, and since dns not a vector per se, the
> idea of changing dns in any way to try to control malware strikes me as
> a way to get dns to be broken in more places more often.

I'd say it's a way to get DNS to be more inconsistent and it's likely to 
happen.  Broken is both in the eye of the beholder and in the eye of the 
end-user.

> but, isp's responsible for large broadband populations could do this in their
> recursion farms

That's right. And it will perpetuate the arms race of whitehats vs. 
blackhats.  But that's no reason not to add intelligence into the DNS -- 
either in-band or out-of-band.  Most of us already do some level of DNS 
intelligence out-of-band (passive dns, uribls, etc) and the power of 
doing it in-band is a logical next step.

> fundamentally, this isn't a dns technical problem, and using dns technology
> to solve it will either not work or set a dangerous precedent.  and since
> the data is authentic, some day, dnssec will make this kind of poison
> impossible.

Unfortunately, that day, if it ever comes, will come after bot herders 
stop using DNS to manage their botnets because other mitigation 
strategies will have already forced them to move on.

-David



More information about the NANOG mailing list