Interesting new dns failures
David Ulevitch
davidu at everydns.net
Tue May 22 21:11:56 UTC 2007
Gadi Evron wrote:
>> People are suggesting it become the rule because nobody is trying
>> anything else.
>
> I was with you up to this sentence. Obviously avoiding the core is key,
> but should we not have the capability of preventing abuse in the core
> rather than mitigating it there? Allowing NS changes with no other
> verification or limitation is silly imo, but I am unsure if it is
> relevant as a solution?
> And who is nobody and why doesn't he try something else? That is a bit
> insulting to nobody. :)
>
> Putting that aside, what do you think nobody should try at
> the edge?
People should try putting the intelligence that we have into software
and hardware. Why can't we put Gadi into an edge device?
I say this tongue-in-cheek, but am a bit serious. You (Gadi) are very
good at looking at interesting trends and more than saying it's a
problem, you are able to come up with a report like the botnet rat-out
reports. We know who the C&C's are. We know who the compromised drones
are. We know all of this. Today.
But very few people (okay, not nobody) are saying, "Hey, why should I
allow that compromised windows box that has never sent me an MX request
before all of the sudden be able to request 10,000 MX records across my
resolvers?" "Why am I resolving a domain name that was just added into
the DNS an hour ago but has already changed NS servers 50 times?"
These questions, and more (but I'm biased to DNS), can be solved at the
edge for those who want them. It's decentralized there. It's done the
right way there. It's also doable in a safe and fail-open kind of way.
This is what I'm talking about.
>
> After all, nobody's security being affected by the edge of some end-user
> machine on the other side of the world is irrelevant to my edge
> security. FUSSP.
>
> DNS abuse is mostly not an edge issue.
I disagree. DNS is the enabler for many many issues which are edge
issues. (Botnets, spam, etc)
-David Ulevitch
> Gadi.
>
>> -David Ulevitch
>>
>>
>
More information about the NANOG
mailing list