[dns-operations] "Rogers: NXDOMAIN means NXSERVICE for you"
michael at rancid.berkeley.edu
Wed Jan 3 23:46:15 UTC 2007
Matt Ghali wrote:
> On Wed, 3 Jan 2007, Fergie wrote:
>> I file this under "Stupid DNS Tricks". :-)
> Indeed. It really is a half baked solution; but it is good to see
> them trying to address the zombie problem at all..
>> It's easy to see that, if the checks are not made somewhat more
>> bulletproof, you senselessly cut off your downstream customers.
> It's also likely that the heuristics work extremely well for the
> 99.98 customers using their resolvers, who have a few random Windows
> boxes behind their CPE.
> Anyone doing anything more complex than that really should be
> running their own caching nameserver, for a variety of reasons
> besides this anyway.
Of course, what's to stop the botnet controllers from installing their
own caching resolvers on the 0wned machines? It seems that Rogers's
tactic is as easily defeated by the zombies as it is by any legitimate
user who installs his/her own caching resolver. It can't be too hard to
implement a caching-only resolver that has a hardcoded root-hints file,
or forwards to a hardcoded set of resolvers (either 0wned ones or
misconfigured or otherwise open recursive resolvers) and caches the
results. This can easily be bundled in with the botnet malware.
> Lets be careful about demonizing ISPs for not addressing the zombie
> problem, and then demonizing them again for trying to be more
Sure, it raises the bar, but when it inconveniences legitimate users and
only raises the bar a portion of the way, is it really a great idea?
No, I wouldn't demonize Rogers for this, but I agree with the article
that it could (and should) be better implemented. The problem is, how
much work do you want to do to implement something that seems to be
easily defeated anyway?
More information about the dns-operations