[dns-operations] "Rogers: NXDOMAIN means NXSERVICE for you"

Michael Sinatra michael at rancid.berkeley.edu
Wed Jan 3 23:46:15 UTC 2007

Hi Matto:

Matt Ghali wrote:
> On Wed, 3 Jan 2007, Fergie wrote:
>> I file this under "Stupid DNS Tricks". :-)
> Indeed. It really is a half baked solution; but it is good to see 
> them trying to address the zombie problem at all..
>> It's easy to see that, if the checks are not made somewhat more
>> bulletproof, you senselessly cut off your downstream customers.
> It's also likely that the heuristics work extremely well for the 
> 99.98 customers using their resolvers, who have a few random Windows 
> boxes behind their CPE.
> Anyone doing anything more complex than that really should be 
> running their own caching nameserver, for a variety of reasons 
> besides this anyway.

Of course, what's to stop the botnet controllers from installing their 
own caching resolvers on the 0wned machines?  It seems that Rogers's 
tactic is as easily defeated by the zombies as it is by any legitimate 
user who installs his/her own caching resolver.  It can't be too hard to 
implement a caching-only resolver that has a hardcoded root-hints file, 
or forwards to a hardcoded set of resolvers (either 0wned ones or 
misconfigured or otherwise open recursive resolvers) and caches the 
results.  This can easily be bundled in with the botnet malware.

> Lets be careful about demonizing ISPs for not addressing the zombie 
> problem, and then demonizing them again for trying to be more 
> responsible.

Sure, it raises the bar, but when it inconveniences legitimate users and 
only raises the bar a portion of the way, is it really a great idea? 
No, I wouldn't demonize Rogers for this, but I agree with the article 
that it could (and should) be better implemented.  The problem is, how 
much work do you want to do to implement something that seems to be 
easily defeated anyway?


More information about the dns-operations mailing list