[dns-operations] Where to find "DNS resolution path corruption"?

Otmar Lendl ol at bofh.priv.at
Wed Feb 20 19:07:43 UTC 2008


On 2008/02/19 19:02, David Dagon <dagon at cc.gatech.edu> wrote:
> 
> Having hinted at blame this way, I've found some ISPs are considering
> 'locking in' their users who resolve using the ISPs recursive servers;
> an opt-out might preserve e2e for customers who want to use other DNS
> services (e.g., the opt-in OpenDNS).  Or at least these are the ideas
> being considered by those who believe this is not just a Windows
> problem, but their network problem.

A filterrule on the customer's CPE restricting port 53 could
(if done on an opt-in/out basis) be an additional security
feature which an ISP might even sell as service.

Another aspect on DNS rewriting worms might be worthwhile to note here:

Looking at netflow data, an ISP can rather easily check which user in
his network is neither using his official nameservers, nor running
his own resolver (by checking who talks port 53 to just a handful of
foreign addresses).

I know network operators who run such a query every now and then
to root out infected hosts (after checking which nameservers are
malicious).

/ol
-- 
-=-  Otmar Lendl  --  ol at bofh.priv.at  -=-



More information about the dns-operations mailing list