[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
ka at pacific.net
Wed Jul 12 18:55:37 UTC 2006
Paul Vixie wrote:
>>> 3. because i want to keep DNS open to non-web applications.
>> I want to point out what we're releasing today in a test form for greater
>> things to come:
>> I hope this takes care of issues #1, #2, and #3.
> no, it won't take #3 off the table, since it's not the prefs i select which
> give rise to #3 -- rather, it's the prefs others select. the mere existence
> and availability of, as well as the default of, a feature whereby NXDOMAIN is
> remapped to NOERROR/ANCOUNT>0 with an A RR pointing at an "ad server" will
> have the effect of disincenting future non-web applications from using DNS.
> the thinking is, "if this name is wrong, i'm going to get back a funny A RR
> rather than an NXDOMAIN, which i'll then have to code workarounds for."
Software that depends on being able to resolve hostnames that resolve to
RFC1918 IPs or other hostnames in a DMZ will at minimum put the name on
the wire, in the OpenDNS database, as well as breaking the software.
This is a security issue that the OpenDNS site isn't clear enough about.
OpenDNS is a web-centric, home user service, and it should be sold as
such, with proper warnings for all others. I could find very little
about the issue on the OpenDNS site, however this was in a recent blog
entry on the site:
> Internal resources — for example, a web tool you might use for
reporting vacation days — often takes advantage of local DNS resolution.
In that case, using OpenDNS may prevent you from getting to those
resources and you will have to turn off OpenDNS while you use them.
There is no logical way for us to address internal resources, yet.
No mention of the information disclosure that takes place.
>> This should also make clear that a Site Finder comparison is inappropriate.
> according to http://www.icann.org/committees/security/ssac-report-09jul04.pdf
> and http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html, the above
> stated concern also applied to sitefinder.
>> Back to our regularly scheduled DNSSEC threads... ;-)
> not so fast.
> dns-operations mailing list
> dns-operations at lists.oarci.net
More information about the dns-operations