[dns-operations] A DNS and network security forced marriage

Andrew Sullivan ajs at shinkuro.com
Fri Mar 12 19:59:52 UTC 2010

On Fri, Mar 12, 2010 at 11:49:27AM -0800, Matthew Dempsky wrote:
> statically configured DNS server.  This doesn't require extra work
> "every time you reconnect"; just once when you set it up.

Yes, if the client is sane.  But if you have a bunch of bodged-up
stuff assembled from the kind of garbage one sometimes has, the client
is not always so sane.

Moreover, in general there isn't a pre-emptive way of making this
change, because if you're an innocent customer of an ISP and they
start mangling your DNS, you have no warning because you didn't change
anything & had no reason to suppose things would break.

I am not one of those people who thinks that there's a religious issue
here.  I just think that bland assurances that it's all easy and works
perfectly are disingenuous.  There are problems, and some of them are
annoying to fix -- especially because for the customer they often
involve waiting on hold for long periods of time waiting to get a help
desk person (who, often as not, didn't get the memo about DNS mangling
either, so doesn't know what one is talking about).


Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list