On-going Internet Emergency and Domain Names

Gadi Evron ge at linuxbox.org
Sat Mar 31 11:16:01 UTC 2007

On Sat, 31 Mar 2007, Mikael Abrahamsson wrote:
> On Sat, 31 Mar 2007, Gadi Evron wrote:
> > In this case, we speak of a problem with DNS, not sendmail, and not bind.
> The argument can be made that you're trying to solve a windows-problem by 
> implementing blocking in DNS.
> Next step would be to ask all access providers to block outgoing UDP/53 so 
> people can't use open resolvers or machines set up to act as resolvers for 
> certain DNS information that the botnets need, as per the same analysis 
> that blocking TCP/25 stops spam.
> So what you're trying to do is a pure stop-gap measure that won't scale in 
> the long run. Fix the real problem instead of trying to bandaid the 
> symptoms.

The real problem? Okay, I'd like your ideas than. :)

What we are referring to here is not just malware, phishing, DDoS (rings a
bell, root servers?) and othr threats. It is about the DNS being
manipulated and abused and causing instability across the board, only not
in reachability and availability which is the infrastructure risk already
being looked after.

Hijacking may be resolved by DNS-SEC, this isn't.

If an A record with a low TTL can be changed every 10 minutes, that means
no matter what the problem is, we can't mitigate it. There are legitimate
reasons to do that, though.

The C&C for a botnet would not disapear, as it would be half way across
the world by the time we see it.
The only constant is the malicious domain name.

If the NS keeps skipping around, that's just plain silly. :)

If we are able to take care of all the rest, and DNS becomes the one facet
which can rewind the wheel, DNS is the problem. It HAS become an
infrastructure for abuse, and it disturbs daily life on the Internet. We'd
like solutions and we raised some ideas - we are willing to accept they
are not good ones, please help us out with better ones?

Or we can look at it from a different perspective:
Should bad guys be able to register thousands of domains with "amazon" and
"paypal" in them every day? Should there be black hat malicious registrars
around? Shouldn't there be an abuse route for domain names?

One problem at a time, please.


More information about the NANOG mailing list