[dns-operations] Where to find "DNS resolution path corruption"?
patrik at frobbit.se
Fri Feb 15 18:51:23 UTC 2008
On 15 feb 2008, at 13.02, Simon Waters wrote:
> On Friday 15 February 2008 11:11, Stephane Bortzmeyer wrote:
>> I'm specially interested in
>> the claim "4 percent, or 68,000 of them [the ORNS]
> That is "0.4%" in the original Dark Reading article, you just made the
> scaremongering 10 times worse ;) (0.4% would give 68,000 from 17
> They say ".4", without the leading zero which makes it easy to
> I doubt 0.4% is significantly different from in the past (although I
> have figures to prove that assertion), when accidental poisoning
> were pretty common due to poorly designed and implemented resolvers.
> I'm willing to believe botnet operators are getting interested in DNS.
My experience with tests in the .SE TLD (that do not allow tasting) is
that 17-21% of the delegations do have some kind of error around the
delegation point. After looking more carefully at the issues, my guess
is that "a good TLD" with education can get that percentage down to
maybe 10%. Lower than that is hard. Very hard.
The 0.4% because of that for me completely disappears in the massive
amount of other problems that exists, most of the because of
misconfiguration of DNS servers in one way or another. It is rounding
That said, I did not in my work look at how many DNS servers have
problems with the configuration, and it might be that the percentage
of the servers that are wrong is substantially lower than 20%. How
low, I do not know. But still magnitudes larger than 0.4%.
And many of those misconfigured delegation points are, I continue to
claim, easier targets for people that want to do bad things than the
I hope I am wrong :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 186 bytes
Desc: This is a digitally signed message part
More information about the dns-operations