[dns-operations] DNS whitelisting
David Ulevitch
davidu at everydns.net
Tue Mar 7 22:42:10 UTC 2006
On Mar 7, 2006, at 2:04 PM, Gadi Evron wrote:
> Okay, well - not on the protocol level, a DNS server which is
> registered
> with a white-list is one more reason to "trust" it. You don't have to
> have every DNS server in the world. The ones we may have on such a
> list
> will still be of some added value.
Note: The good authoritative DNS servers rarely change, occasional
additions. The bad authoritative DNS servers change with extreme
frequency in the range of hours or minutes.
Remember how fast flux uses this in the same way for A records and
such -- it also happens to NS records, albeit a bit slower. I, and
others, are now tracking this. (more to come later)
> Caveats:
> Defining what Trust is, i.e., can be as simple as checked once a
> week to
> make sure it doesn't allow relay from the world.
> It's a use-if-you-like list, I don't see it as a FUSSP and it's a good
> start for a future blacklisting possibility to page the community.
When things don't work because some network operator is blocking your
listed DNS resolver I doubt the first thing anyone will think is
"Gee, I must be running an open DNS resolver and thus have been added
to a blacklist." That comes about 1000th after "check cables, whois,
zones, power, ping, gods, demons, daemons, karma, lottery numbers,
weather, etc."
linuxbox.org was an open DNS relay -- should I really be blocking its
users from resolving our ~1,000,000 resource records at everydns? I
don't think so. Plus, how would you ever be able to send me email
again? ... on second thought... j/k :-)
Best,
David Ulevitch
More information about the dns-operations
mailing list