[dns-operations] A DNS and network security forced marriage

Andrew Sullivan ajs at shinkuro.com
Fri Mar 12 17:48:12 UTC 2010 

On Fri, Mar 12, 2010 at 11:04:32AM -0600, Stephen L Johnson wrote:
> Our security group can gather the DNS domains that are being used by the
> botnet control servers. The idea is to place the botnet control domains
> as authoritative domains as poison pills for the infected PC/servers.
> This list of poison pill domains would be automated to be updated
> automatically every 15-30 minutes.

My personal reaction to this, every time I encounter it as a
suggestion, is that it's a very invasive procedure being used to
treat, not terribly well, a problem that ought to be rooted out
elsewhere.

First, it seems to me that your real problem is that you have a lot of
botnet difficulty.  That seems to be something that would be better
tackled head on.  But I realise it's hard to do, and with limited
staff nearly impossible.

Second, it's not plain to me that you'll be effective.  Your list
update time is too long, given that TTLs could be set very low (so
that the botnet control domain can move around faster than your 15-30
minute update time).

Third, there's potential for damage: the natural thing for botnets to
do is to try to get their control domain under a domain you really
need to talk to.

Fourth, it's by no means impossible for the botnet infections to adapt
by delivering resolution some other way.  The next step will be to
block port 53 and force everything to use your nameserver, and soon
responsible use of the network by advanced users will be nearly
impossible.

Fifth, anything that encourages people to start handing out
authoritative responses for domains that aren't under their control
makes me very uncomfortable.  Lying in the DNS "for the good of all"
is how we got the monetized redirects at ISPs.

Finally, if the botnets adapt and this measure becomes ineffective
(and given everything else we've seen, it will -- the question is just
how long it will take), this measure will still be sludge hanging
around in your network forever.

So I'd push against it.  But it'll probably work most of the time, for
some value of "work".  Keep in mind that maintaining those lists is
going to be much harder than you think, and you're going to need
whitelisting capabilities and ways for people to work around this
reliably, in case something goes wrong (or else live with the
consequences of cutting someone off to a legitimate site by accident).
Once you have this exception mechanism, though, I'd be astonished if
the botnets didn't figure out how to use it.

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list