[dns-operations] Best Practices in DNS security

[Geo.]

> The ops community keeps failing to communicate the importance of BCPs
> and reasonable functional requirements to a wider public. That's why
> certain vendors (and not only MS) can keep dragging their feet wrt
> fixing their software. The PR-side to such issues is mostly forgotten it
> seems. Relatively minor issues like this one would find their rapid
> resolution if the shit hits the fan in mainstream media (in the proper
> way of course). Then, it would also be harder to get away using
> sub-standard solutions when there's consensus in the industry on how
> things should be.

You are absolutely right, instead of saying switch dns server software we
should be saying switch to a router that by default implements BCP38.

> The ops-community must communicate minimum requirements to vendors and
> to customers. Products which don't qualify should be blocked from use
> for publicly accessible services.

The problem as the folks on this list are aware is that you can't automate a
blacklist to test for BCP38 compliance because there is no good way to
remotely test it. But now that I think about it maybe there is.

Spoof a request to a dns server on the subnet you are testing, spoof it as
the address next to that server and have it query for one of your domains
and if you get a dns query for that domain from the IP you are testing then
they are not filtering inbound traffic for their own netblock addresses.
Bill a blacklist service around that test instead of an open recursive dns
server test.

Geo.