[dns-operations] Where to find "DNS resolution path corruption"?

Patrik Fältström patrik at frobbit.se
Fri Feb 15 18:51:23 UTC 2008


On 15 feb 2008, at 13.02, Simon Waters wrote:

> On Friday 15 February 2008 11:11, Stephane Bortzmeyer wrote:
>>
>> I'm specially interested in
>> the claim "4 percent, or 68,000 of them [the ORNS]
>
> That is "0.4%" in the original Dark Reading article, you just made the
> scaremongering 10 times worse ;) (0.4% would give 68,000 from 17  
> million).
>
> They say ".4", without the leading zero which makes it easy to  
> misread.
>
> I doubt 0.4% is significantly different from in the past (although I  
> don't
> have figures to prove that assertion), when accidental poisoning  
> episodes
> were pretty common due to poorly designed and implemented resolvers.
>
> I'm willing to believe botnet operators are getting interested in DNS.

My experience with tests in the .SE TLD (that do not allow tasting) is  
that 17-21% of the delegations do have some kind of error around the  
delegation point. After looking more carefully at the issues, my guess  
is that "a good TLD" with education can get that percentage down to  
maybe 10%. Lower than that is hard. Very hard.

The 0.4% because of that for me completely disappears in the massive  
amount of other problems that exists, most of the because of  
misconfiguration of DNS servers in one way or another. It is rounding  
error.

That said, I did not in my work look at how many DNS servers have  
problems with the configuration, and it might be that the percentage  
of the servers that are wrong is substantially lower than 20%. How  
low, I do not know. But still magnitudes larger than 0.4%.

And many of those misconfigured delegation points are, I continue to  
claim, easier targets for people that want to do bad things than the  
0.4%.

I hope I am wrong :-)

     Patrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20080215/2eb3883a/attachment.sig>


More information about the dns-operations mailing list