Great Suggestion for the DNS problem...?

Jay R. Ashworth jra at baylink.com
Mon Jul 28 14:05:41 CDT 2008


[ unthreaded to encourage discussion ]

On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
> Nameservers could incorporate poison detection...
>
> Listen on 200 random fake ports (in addition to the true query ports);
> if a response ever arrives at a fake port, then it must be an attack,
> read the "identified" attack packet, log the attack event, mark the
> RRs mentioned in the packet as "poison being attempted" for 6 hours;
> for such domains always request and collect _two_ good responses
> (instead of one), with a 60 second timeout, before caching a lookup.
>
> The attacker must now guess nearly 64-bits in a short amount of time,
> to be successful. Once a good lookup is received, discard the normal
> TTL and hold the good answer cached and immutable, for 6 hours (_then_
> start decreasing the TTL normally).

Is there any reason which I'm too far down the food chain to see why
that's not a fantastic idea?  Or at least, something inspired by it?

Cheers,
-- jr 'IANAIE' a
-- 
Jay R. Ashworth                   Baylink                      jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

	     Those who cast the vote decide nothing.
	     Those who count the vote decide everything.
	       -- (Josef Stalin)




More information about the NANOG mailing list