[dns-operations] DNS deluge for x.p.ctrc.cc
matt at snark.net
Fri Mar 3 04:21:40 UTC 2006
On Thu, 2 Mar 2006, Geo. wrote:
> I mean I can tell you right now what's going to happen if we eliminate open
> recursive dns, people are going to run a dns server on their own machine
> (it's not like a small dns caching only server takes up much room) and then
> all the desktop systems are going to start talking directly to the hints
> file servers. The advantages of caching dns for thousands of desktops will
> dissapear and the loads will shift upstream. It'll happen this way because
> it's the easiest fix for machines that wander from zone to zone in a
> wireless world.
I dont know what sort of mobile users you hang around with, but all
of the mobile users I am aware of let either PPP or DHCP tell their
computers which perfectly apropriate recursing nameserver they
should talk to.
The color of sky in a universe where my wife would rather run a
nameserver on her iBook then accept the one automagically configured
for her via DHCP must be lovely.
Honestly, I had no idea so many recursing servers were still open;
and assumed that the few that were, were that way because of
inaction. I had no clue that there was a constituent of operators
nutty enough to consider open recursive service not only needed, but
I might simply be ignorant. If you can give me a plausible
common scenario where a user would need to resort to a random open
recursing nameserver, i'm all ears.
By the way, geo is right. Abuse of open caching recursive
nameservers is a symptom, and open access to them isnt the problem.
Bad people being able to spoof traffic is the problem.
Even if we magically lock down all the open recursing nameservers,
the baddies can still spoof queries to authoritative nameservers for
domainkey TXT records, DHCID, SSHFP, or NAPTR records, or any of the
multitude of horking huge blobs of random crap that make DNSSEC the
horror that it is.
What will we do then? Not sure how we "lock down" the autoritative
nameservers; their job is answering questions.
So we're back at increasing adoption of BCP38 as the only real
solution, and the only way i see that happening is when it hurts
financially/operationally to *not* adopt. And the only way that will
happen is for the abuse to grow. Same with open SMTP relays.
These really are known economic/sociological problems, and arent new
by any stretch of the imagination. Fancy engineering will never,
ever trump human nature.
--matt at snark.net------------------------------------------<darwin><
The only thing necessary for the triumph
of evil is for good men to do nothing. - Edmund Burke
More information about the dns-operations