What DNS Is Not

sthaug at nethelp.no sthaug at nethelp.no
Tue Nov 10 14:04:28 UTC 2009


> > When the conficker worms phones home to one of the 50,000 potential
> > domains names it computes each day, there are a lot of IT folks out
> > there that wish their local resolver would simply reject those DNS
> > requests so that infected machines in their network fail to phone
> > home.
> 
> That's an extremely bad idea: many of the domains generated by the
> Conficker algorithm are already registered by a legitimate registrant
> (in .FR: the national railways, a national TV, etc).

It's an idea that needs to be used *with caution*. We did something
similar as part of testing a new DNS product, and found that any such
list of domain names needed to be *manually* vetted before being used
as input to a DNS-based blackhole system. We also found that we had
to explicitly whitelist a number of domains (generated by Conficker
but registered many years ago and pretty clearly legit).

Steinar Haug, Nethelp consulting, sthaug at nethelp.no




More information about the NANOG mailing list