[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Peter Dambier peter at peter-dambier.de
Fri Jul 14 09:57:49 UTC 2006

Rodney Joffe wrote:
> On Jul 12, 2006, at 1:03 AM, Brad Knowles wrote:
>>IIRC, OpenDNS is using anycast routing tricks, right?  Didn't we have
>>a knock-down, drag-out fight a while back over the evil that we've
>>seen happen with other pure-anycast TLD operators?  I mean, I know
>>that some of the root servers are doing anycast, but there are other
>>root servers that are pure unicast, and that should hopefully resolve
>>the routing weirdness issues for them.
>>Or am I mis-remembering things?
> I believe so. Could you perhaps expand on your belief that a pure  
> anycast TLD implementation is evil?

I have been "digging" into the history of a certain Cyberbunker.

That Cyberbunker used to be the heart of the Public-Root. For those who
do not already know it, one of the most successful alternative roots.

There used to be an address range for anycasted rootservers. That
address space was populated with rootservers distributed around the
globe. They never managed real anycast. They always kept them on
different ip4 addresses.

Digging further in the history of that Cyberbunker I found some
incidents with hackers hitchhiking unused and not so unused ip addresses.

So if you are looking for people managing how to advertise a route, you
have found them. Nevertheless there were places on the globe, that could
not reliably be found.

Seeing there have been places on the globe where you could not put an
anycasted server I am shure there are places on the globe where your
client cannot reach anycasted servers.

Seeing on the other hand how easy it was to hitchhike a route ...

You cannot protect a handful of anycasted routes as easyly as you can
for a unicasted route.

I am afraid the people you want to protect from one phisher are
eposed to another fisher now who is even more dangerous. You dont
need a typo. Taking the correct name gets you lot more hits.

Those guys dont play by the rules. They introduce them. :)

I do need open resolvers for alternative roots because most people do
not know how to query authoritative servers. But all exposed resolvers
are a risk. I guess we will see SoHo routers with builtin resolvers
in the near future. And I mean resolver, not cache.

I am running Bind 9.4.0.a6 side by side with djbdns as resolvers. I
have compiled both of them from the source and I dont trust any
outside resolvers.

I like what OpenDNS does about phishers but I dont like what they
do about DNS - because I dont know what they do.

Kind regards
Peter and Karin

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list