Great Suggestion for the DNS problem...?

Paul Vixie vixie at
Tue Jul 29 01:24:43 UTC 2008

jra at ("Jay R. Ashworth") writes:

> [ unthreaded to encourage discussion ]
> On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
>> Nameservers could incorporate poison detection...
>> Listen on 200 random fake ports (in addition to the true query ports);
>> if a response ever arrives at a fake port, then it must be an attack,
>> read the "identified" attack packet, log the attack event, mark the
>> RRs mentioned in the packet as "poison being attempted" for 6 hours;
>> for such domains always request and collect _two_ good responses
>> (instead of one), with a 60 second timeout, before caching a lookup.
>> The attacker must now guess nearly 64-bits in a short amount of time,
>> to be successful. Once a good lookup is received, discard the normal
>> TTL and hold the good answer cached and immutable, for 6 hours (_then_
>> start decreasing the TTL normally).
> Is there any reason which I'm too far down the food chain to see why
> that's not a fantastic idea?  Or at least, something inspired by it?

at first glance, this is brilliant, though with some unimportant nits.

however, since it is off-topic for nanog, i'm going to forward it to
the namedroppers at mailing list and make detailed comments
Paul Vixie

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the NANOG mailing list