[dns-operations] Getting rid of ISP's recursive DNS servers? (Was:Eircom "DNS Attacks" ?

George Barwood george.barwood at blueyonder.co.uk
Sun Jul 19 20:49:03 UTC 2009


Query repetition is an effective solution to blind spoofing.

I made a resolver that does this, it's at

http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/

This is the only implementation as yet, to my knowledge.

The theory is described in  section 3.1 of this (now expired) internet draft

https://tools.ietf.org/id/draft-barwood-dnsext-fr-resolver-mitigations-08.txt

I might add that I have abandoned section 3.4 (random nonce), as there are a 
few corner cases
that make it difficult to implement successfully, but query repetition works 
fine.

George



----- Original Message ----- 
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at mail.dns-oarc.net>
Sent: Saturday, July 18, 2009 10:23 PM
Subject: [dns-operations] Getting rid of ISP's recursive DNS servers? 
(Was:Eircom "DNS Attacks" ?


> On Fri, Jul 17, 2009 at 11:17:22AM -0400,
> Keith Mitchell <keith at isc.org> wrote
> a message of 13 lines which said:
>
>> I'm seeing ongoing coverage of this:
>
> An interesting point of view (Paul Jakma is a known BGP guru):
>
> http://pjakma.wordpress.com/2009/07/15/sharing-dns-caches-considered-harmful/
>
> I wonder what do the root name server operators think about his
> suggestion?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 






More information about the dns-operations mailing list