[dns-operations] Getting rid of ISP's recursive DNS servers? (Was:Eircom "DNS Attacks" ?
George Barwood
george.barwood at blueyonder.co.uk
Sun Jul 19 20:49:03 UTC 2009
Query repetition is an effective solution to blind spoofing.
I made a resolver that does this, it's at
http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/
This is the only implementation as yet, to my knowledge.
The theory is described in section 3.1 of this (now expired) internet draft
https://tools.ietf.org/id/draft-barwood-dnsext-fr-resolver-mitigations-08.txt
I might add that I have abandoned section 3.4 (random nonce), as there are a
few corner cases
that make it difficult to implement successfully, but query repetition works
fine.
George
----- Original Message -----
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at mail.dns-oarc.net>
Sent: Saturday, July 18, 2009 10:23 PM
Subject: [dns-operations] Getting rid of ISP's recursive DNS servers?
(Was:Eircom "DNS Attacks" ?
> On Fri, Jul 17, 2009 at 11:17:22AM -0400,
> Keith Mitchell <keith at isc.org> wrote
> a message of 13 lines which said:
>
>> I'm seeing ongoing coverage of this:
>
> An interesting point of view (Paul Jakma is a known BGP guru):
>
> http://pjakma.wordpress.com/2009/07/15/sharing-dns-caches-considered-harmful/
>
> I wonder what do the root name server operators think about his
> suggestion?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
More information about the dns-operations
mailing list