[dns-operations] A DNS and network security forced marriage

[Stephen L Johnson]

Hello all. I've been subscribed for quite a while. This list has been
very helpful to me. And I've enjoyed the discussions of various topics
on the list. And how I'm faced with a dilemma with a marriage of network
security and dns operations.

After many years things are happening which will finally allow me to
split out server into authoritative only servers and name caching
servers (i.e. resolvers only). An utterly brilliant (or hare brained)
idea has emerge from out network security group to fight botnets on our
network. The idea is to use the caching name servers to lobotomize the
botnet. At least those bots on our network.

Our security group can gather the DNS domains that are being used by the
botnet control servers. The idea is to place the botnet control domains
as authoritative domains as poison pills for the infected PC/servers.
This list of poison pill domains would be automated to be updated
automatically every 15-30 minutes.

As a system admin I would have no difficulties in setting up the name
caching server to do this. But the hostmaster in me is saying this is a
bad idea. I already see issues with botnet domain gathering being
poisoned by the bad guys. I can foresee scenarios of major legitimate
domains show up in the poison domain list. 

My gut is also telling me that this is a bad idea from an operations
point of view. But I'm not able to articulate why it would be a bad
idea. This is getting way outside my area of expertise with DNS. So I'm
putting the question to the DNS experts. Is this a good idea, or not?
-- 
Stephen L Johnson  <stephen.johnson at arkansas.gov>
Unix Systems Administrator / DNS Hostmaster
Department of Information Systems
State of Arkansas
501-682-4339