[dns-operations] Best Practices in DNS security

Geo. geoincidents at nls.net
Sun Mar 19 16:42:47 UTC 2006

> if your software can't do the right thing, you can either buy more
> or change your software.

The open relay problem didn't go away until MS fixed Exchange so it didn't
install as an open relay and until customers had the current version so the
old versions were no longer being installed. Until that point in time all
ISP's played whack-a-mole with open relay mail servers.

I know from your point of view it looks like a simple "pick other software"
solution but it doesn't work that way. Most dns servers are not run by ISPs,
they are run by companies who's admins install new and reinstall old
software every day. As an ISP I do not want to spend the next 5 years of my
life chasing down open recursive servers like I did with open relay
ESPECIALLY when NOBODY on my network can use this attack because you can't
spoof from my network.

Why don't YOU clean up the mess this time and go get those other ISP's who
don't filter spoofed outbound traffic, oh I forgot, this way you shove the
work off onto someone else and you can just sit back and complain. This way
you can automate blacklisting and you don't actually have to do any work,
but us ISP's well we get to play whack-a-mole for the next 5 years until MS
and every other dns maker on the planet makes their software comply by

Before that happens, I'm here to tell you this is not an optimal solution,
lets stop for a minute and thoroughly explore the other options now that I
pointed out how unacceptable this is going to be to every ISP on the planet.

The problem is not dns, it's spoofing UDP traffic. There are other
alternatives, the big stumbling block is detecting who still isn't BCP38
compliant and finding a way to make them compliant or getting their backbone
connections to make them compliant. Anyone have any ideas on that?


More information about the dns-operations mailing list