[dns-operations] charter, sitefinder, opendns (slashdot today)
Roland Dobbins
rdobbins at cisco.com
Fri Feb 16 01:50:33 UTC 2007
On Feb 15, 2007, at 5:33 PM, David Ulevitch wrote:
> And taken to its logical end would mean that all services will run on
> port 80 and we'll just differentiate based on IP address.
And this proposal will lead to more 'censorship' and privacy invasion
and poor performance because it will spur every infosec-type
everywhere to demand complete 'inspection'/proxying of HTTP
everywhere - plus, it benefits the miscreants by making driving legit
DNS into an obfuscated channel, and compounding the problem of
teasing out poisoned DNS or DNC C&C/covert channels by a couple of
orders of magnitude.
Paul, I understand your motivations, but this is -not- a problem
which needs to be solved at layer-7 by the DNS - the VPN technologies
are adequate. This proposal will simply chase more to TCP/80 and/or
TCP/443, and the last thing we need to be doing is encouraging this
trend.
Besides, if you need non-local DNS in order to evade censorship,
chances are you need non-local default, anyways, to avoid filtering/
snooping/etc. VPN-type technologies provide this capability.
If you need to bypass local DNS for whatever reason, use a tunnel of
some kind - but please don't place some kind of 'official' sanction
on DNS over TCP/80 or TCP/443. That's the last thing we need, IMHO,
because the net negatives outweigh the net positives, and technology
already exists to solve this problem.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
The telephone demands complete participation.
-- Marshall McLuhan
More information about the dns-operations
mailing list