What DNS Is Not

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Nov 10 02:21:54 UTC 2009


On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said:

> For instance, returning the IP address of your company's port-80 web
> server instead of NXDOMAIN
> not only breaks non-port-80-http applications

Remember this...

> There is one special case for which I don't mind having DNS servers
> lie about query results,
> which is the phishing/malware protection service.  In that case, the
> DNS response is redirecting you to
> the IP address of a server that'll tell you
>        "You really didn't want to visit PayPa11.com - it's a fake" or
>        "You really didn't want to visit
> dgfdsgsdfgdfgsdfgsfd.example.ru - it's malware".
> It's technically broken, but you really _didn't_ want to go there anyway.
> It's a bit friendlier to administrators and security people if the
> response page gives you the

Returning bogus non-NXODMAIN gives non-port-80-http apps heartburn as well.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091109/775a1a96/attachment.sig>


More information about the NANOG mailing list