Great Suggestion for the DNS problem...?

Michael Smith mksmith at adhost.com
Mon Jul 28 21:24:52 CDT 2008


Hello All:


> From: Paul Vixie <vixie at isc.org>
> Date: Tue, 29 Jul 2008 01:24:43 +0000
> To: Nanog <nanog at merit.edu>
> Subject: Re: Great Suggestion for the DNS problem...?
> 
> jra at baylink.com ("Jay R. Ashworth") writes:
> 
>> [ unthreaded to encourage discussion ]
>> 
>> On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
>>> Nameservers could incorporate poison detection...
>>> 
>>> Listen on 200 random fake ports (in addition to the true query ports);
>>> if a response ever arrives at a fake port, then it must be an attack,
>>> read the "identified" attack packet, log the attack event, mark the
>>> RRs mentioned in the packet as "poison being attempted" for 6 hours;
>>> for such domains always request and collect _two_ good responses
>>> (instead of one), with a 60 second timeout, before caching a lookup.
>>> 
>>> The attacker must now guess nearly 64-bits in a short amount of time,
>>> to be successful. Once a good lookup is received, discard the normal
>>> TTL and hold the good answer cached and immutable, for 6 hours (_then_
>>> start decreasing the TTL normally).
>> 
>> Is there any reason which I'm too far down the food chain to see why
>> that's not a fantastic idea?  Or at least, something inspired by it?
> 
> at first glance, this is brilliant, though with some unimportant nits.
> 
> however, since it is off-topic for nanog, i'm going to forward it to
> the namedroppers at ops.ietf.org mailing list and make detailed comments
> there.
> -- 
Still off topic, but perhaps a BGP feed from Cymru or similar to block IP
addresses on the list?

Regards,

Mike





More information about the NANOG mailing list