you're not interesting, was Re: another brick in the wall[ed garden]
Tomas L. Byrnes
tomb at byrneit.net
Thu May 14 19:24:26 CDT 2009
Disclaimer: I have a dog in this fight, since ThreatSTOP is dependent on
>From: Mark Andrews [mailto:Mark_Andrews at isc.org]
>Sent: Thursday, May 14, 2009 4:59 PM
>To: John Levine
>Cc: nanog at nanog.org; rs at seastrom.com
>Subject: Re: you're not interesting,was Re: another brick in the
>In message <20090514223605.88104.qmail at simone.iecc.com>, John Levine
>> >Dear Sprint EVDO people,
>> >Your man-in-the-middle hijacking of UDP/53 DNS queries against
>> >nameservers that I choose to query from my laptop on Sprint EVDO is
>> >not appreciated. Even less appreciated is your complete blocking of
>> >TCP/53 DNS queries.
>> If I were an ISP, and I knew that approximately 99.9% of customer
>> queries to random name servers was malware doing fake site phishing
>> misconfigured PCs that will work OK and avoid a support call if they
>> answer the DNS query, with 0.1% being old weenies like us, I'd do
>> Sprint's doing, too.
> And what's the next protocol that is going to be stomped on?
>> If you're aware of a mechanical way for them to tell the difference,
>> we're all ears.
> Well you can't answer a TSIG message without knowing the
> shared secret so you might as well just let it go through
> and avoid some percentage of support calls. Intercepting
> TSIG messages is guaranteed to generate a support call.
> Similarly intercepting "rd=0" is also guaranteed to generate
> a support call. You almost certainly have a interative
> resolver making the query which will not handle the "aa=0"
> Similarly there is no sane reason to block DNS/TCP other than
> they can do it.
[TLB:] I can think of an argument they might make: that it is/could be
used by bots as a fallback. However, redirecting DNS/UDP fits the model
of "providing a better service for the average user";
blocking/redirecting TCP is more likely to break things a savvy user
Maybe someone with clue at Sprint can be persuaded that doing their own
"OpenDNS" for UDP is probably a good thing for most uses, but doing it
for TCP is a bad thing for those users who need TCP.
More information about the NANOG