Interesting new dns failures

David Ulevitch davidu at
Tue May 22 21:11:56 UTC 2007

Gadi Evron wrote:

>> People are suggesting it become the rule because nobody is trying 
>> anything else.
> I was with you up to this sentence. Obviously avoiding the core is key,
> but should we not have the capability of preventing abuse in the core
> rather than mitigating it there? Allowing NS changes with no other
> verification or limitation is silly imo, but I am unsure if it is
> relevant as a solution?
> And who is nobody and why doesn't he try something else? That is a bit
> insulting to nobody. :)
> Putting that aside, what do you think nobody should try at
> the edge?

People should try putting the intelligence that we have into software 
and hardware.  Why can't we put Gadi into an edge device?

I say this tongue-in-cheek, but am a bit serious.  You (Gadi) are very 
good at looking at interesting trends and more than saying it's a 
problem, you are able to come up with a report like the botnet rat-out 
reports.  We know who the C&C's are.  We know who the compromised drones 
are.  We know all of this.  Today.

But very few people (okay, not nobody) are saying, "Hey, why should I 
allow that compromised windows box that has never sent me an MX request 
before all of the sudden be able to request 10,000 MX records across my 
resolvers?"  "Why am I resolving a domain name that was just added into 
the DNS an hour ago but has already changed NS servers 50 times?"

These questions, and more (but I'm biased to DNS), can be solved at the 
edge for those who want them.  It's decentralized there.  It's done the 
right way there.  It's also doable in a safe and fail-open kind of way.

This is what I'm talking about.

> After all, nobody's security being affected by the edge of some end-user
> machine on the other side of the world is irrelevant to my edge
> security. FUSSP.
> DNS abuse is mostly not an edge issue.

I disagree. DNS is the enabler for many many issues which are edge 
issues.  (Botnets, spam, etc)

-David Ulevitch

> 	Gadi.
>> -David Ulevitch

More information about the NANOG mailing list