What DNS Is Not

David Ulevitch davidu at everydns.net
Tue Nov 10 09:17:15 CST 2009


On 11/10/09 9:04 AM, sthaug at nethelp.no wrote:
>>> When the conficker worms phones home to one of the 50,000 potential
>>> domains names it computes each day, there are a lot of IT folks out
>>> there that wish their local resolver would simply reject those DNS
>>> requests so that infected machines in their network fail to phone
>>> home.
>>
>> That's an extremely bad idea: many of the domains generated by the
>> Conficker algorithm are already registered by a legitimate registrant
>> (in .FR: the national railways, a national TV, etc).
>
> It's an idea that needs to be used *with caution*. We did something
> similar as part of testing a new DNS product, and found that any such
> list of domain names needed to be *manually* vetted before being used
> as input to a DNS-based blackhole system. We also found that we had
> to explicitly whitelist a number of domains (generated by Conficker
> but registered many years ago and pretty clearly legit).

This is correct.  And we take this into consideration in determining 
what to block using our existing datasets, which are sufficient 
considering the volume of DNS traffic that crosses our network.

-David




More information about the NANOG mailing list