[dns-operations] A DNS and network security forced marriage

Jason Livingood jason_livingood at cable.comcast.com
Mon Mar 15 14:09:18 UTC 2010

I have documented this in a small way in an old draft at
Please note that this is due for an update and the malicious domain redirect
content will be in a separate (new) document once this occurs.

You may also find 
informative on the subject.

But before your IT team pushes for something in the core network, don't
ignore client-side protections that could be implemented as a first-step.
Oftentimes, solutions focusing on the core occurs when there is not end user
host admin capability in an ISP network - which I would think would not be
the case in an enterprise network like yours.


On 3/12/10 12:04 PM, "Stephen L Johnson" <stephen.johnson at arkansas.gov>

> Hello all. I've been subscribed for quite a while. This list has been
> very helpful to me. And I've enjoyed the discussions of various topics
> on the list. And how I'm faced with a dilemma with a marriage of network
> security and dns operations.
> After many years things are happening which will finally allow me to
> split out server into authoritative only servers and name caching
> servers (i.e. resolvers only). An utterly brilliant (or hare brained)
> idea has emerge from out network security group to fight botnets on our
> network. The idea is to use the caching name servers to lobotomize the
> botnet. At least those bots on our network.
> Our security group can gather the DNS domains that are being used by the
> botnet control servers. The idea is to place the botnet control domains
> as authoritative domains as poison pills for the infected PC/servers.
> This list of poison pill domains would be automated to be updated
> automatically every 15-30 minutes.
> As a system admin I would have no difficulties in setting up the name
> caching server to do this. But the hostmaster in me is saying this is a
> bad idea. I already see issues with botnet domain gathering being
> poisoned by the bad guys. I can foresee scenarios of major legitimate
> domains show up in the poison domain list.
> My gut is also telling me that this is a bad idea from an operations
> point of view. But I'm not able to articulate why it would be a bad
> idea. This is getting way outside my area of expertise with DNS. So I'm
> putting the question to the DNS experts. Is this a good idea, or not?

More information about the dns-operations mailing list