[dns-operations] DNS deluge for x.p.ctrc.cc

Matt Ghali matt at snark.net
Fri Mar 3 04:21:40 UTC 2006

On Thu, 2 Mar 2006, Geo. wrote:

> I mean I can tell you right now what's going to happen if we eliminate open
> recursive dns, people are going to run a dns server on their own machine
> (it's not like a small dns caching only server takes up much room) and then
> all the desktop systems are going to start talking directly to the hints
> file servers. The advantages of caching dns for thousands of desktops will
> dissapear and the loads will shift upstream. It'll happen this way because
> it's the easiest fix for machines that wander from zone to zone in a
> wireless world.
> Geo.

I dont know what sort of mobile users you hang around with, but all 
of the mobile users I am aware of let either PPP or DHCP tell their 
computers which perfectly apropriate recursing nameserver they 
should talk to.

The color of sky in a universe where my wife would rather run a 
nameserver on her iBook then accept the one automagically configured 
for her via DHCP must be lovely.

Honestly, I had no idea so many recursing servers were still open; 
and assumed that the few that were, were that way because of 
inaction. I had no clue that there was a constituent of operators 
nutty enough to consider open recursive service not only needed, but 
actually critical.

I might simply be ignorant. If you can give me a plausible 
common scenario where a user would need to resort to a random open 
recursing nameserver, i'm all ears.

By the way, geo is right. Abuse of open caching recursive 
nameservers is a symptom, and open access to them isnt the problem. 
Bad people being able to spoof traffic is the problem.

Even if we magically lock down all the open recursing nameservers, 
the baddies can still spoof queries to authoritative nameservers for 
domainkey TXT records, DHCID, SSHFP, or NAPTR records, or any of the 
multitude of horking huge blobs of random crap that make DNSSEC the 
horror that it is.

What will we do then? Not sure how we "lock down" the autoritative 
nameservers; their job is answering questions.

So we're back at increasing adoption of BCP38 as the only real 
solution, and the only way i see that happening is when it hurts 
financially/operationally to *not* adopt. And the only way that will 
happen is for the abuse to grow. Same with open SMTP relays.

These really are known economic/sociological problems, and arent new 
by any stretch of the imagination. Fancy engineering will never, 
ever trump human nature.


--matt at snark.net------------------------------------------<darwin><
               The only thing necessary for the triumph
               of evil is for good men to do nothing. - Edmund Burke

More information about the dns-operations mailing list