[dns-operations] DNS whitelisting

David Ulevitch davidu at everydns.net
Tue Mar 7 22:42:10 UTC 2006

On Mar 7, 2006, at 2:04 PM, Gadi Evron wrote:

> Okay, well - not on the protocol level, a DNS server which is  
> registered
> with a white-list is one more reason to "trust" it. You don't have to
> have every DNS server in the world. The ones we may have on such a  
> list
> will still be of some added value.

Note: The good authoritative DNS servers rarely change, occasional  
additions.  The bad authoritative DNS servers change with extreme  
frequency in the range of hours or minutes.
Remember how fast flux uses this in the same way for A records and  
such -- it also happens to NS records, albeit a bit slower.  I, and  
others, are now tracking this. (more to come later)

> Caveats:
> Defining what Trust is, i.e., can be as simple as checked once a  
> week to
> make sure it doesn't allow relay from the world.

> It's a use-if-you-like list, I don't see it as a FUSSP and it's a good
> start for a future blacklisting possibility to page the community.

When things don't work because some network operator is blocking your  
listed DNS resolver I doubt the first thing anyone will think is  
"Gee, I must be running an open DNS resolver and thus have been added  
to a blacklist."  That comes about 1000th after "check cables, whois,  
zones, power, ping, gods, demons, daemons, karma, lottery numbers,  
weather, etc."

linuxbox.org was an open DNS relay -- should I really be blocking its  
users from resolving our ~1,000,000 resource records at everydns?  I  
don't think so.  Plus, how would you ever be able to send me email  
again? ... on second thought... j/k :-)

David Ulevitch

More information about the dns-operations mailing list