[dns-operations] charter, sitefinder, opendns (slashdot today)

Roland Dobbins rdobbins at cisco.com
Fri Feb 16 01:50:33 UTC 2007

On Feb 15, 2007, at 5:33 PM, David Ulevitch wrote:

> And taken to its logical end would mean that all services will run on
> port 80 and we'll just differentiate based on IP address.

And this proposal will lead to more 'censorship' and privacy invasion  
and poor performance because it will spur every infosec-type  
everywhere to demand complete 'inspection'/proxying of HTTP  
everywhere - plus, it benefits the miscreants by making driving legit  
DNS into an obfuscated channel, and compounding the problem of  
teasing out poisoned DNS or DNC C&C/covert channels by a couple of  
orders of magnitude.

Paul, I understand your motivations, but this is -not- a problem  
which needs to be solved at layer-7 by the DNS - the VPN technologies  
are adequate.  This proposal will simply chase more to TCP/80 and/or  
TCP/443, and the last thing we need to be doing is encouraging this  

Besides, if you need non-local DNS in order to evade censorship,  
chances are you need non-local default, anyways, to avoid filtering/ 
snooping/etc.  VPN-type technologies provide this capability.

If you need to bypass local DNS for whatever reason, use a tunnel of  
some kind - but please don't place some kind of 'official' sanction  
on DNS over TCP/80 or TCP/443.  That's the last thing we need, IMHO,  
because the net negatives outweigh the net positives, and technology  
already exists to solve this problem.

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

           The telephone demands complete participation.

                       -- Marshall McLuhan

More information about the dns-operations mailing list