[dns-operations] A DNS and network security forced marriage
Jason Livingood
jason_livingood at cable.comcast.com
Mon Mar 15 14:09:18 UTC 2010
I have documented this in a small way in an old draft at
http://tools.ietf.org/html/draft-livingood-dns-redirect-00#section-8.5
Please note that this is due for an update and the malicious domain redirect
content will be in a separate (new) document once this occurs.
You may also find
http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-07
informative on the subject.
But before your IT team pushes for something in the core network, don't
ignore client-side protections that could be implemented as a first-step.
Oftentimes, solutions focusing on the core occurs when there is not end user
host admin capability in an ISP network - which I would think would not be
the case in an enterprise network like yours.
Jason
On 3/12/10 12:04 PM, "Stephen L Johnson" <stephen.johnson at arkansas.gov>
wrote:
> Hello all. I've been subscribed for quite a while. This list has been
> very helpful to me. And I've enjoyed the discussions of various topics
> on the list. And how I'm faced with a dilemma with a marriage of network
> security and dns operations.
>
> After many years things are happening which will finally allow me to
> split out server into authoritative only servers and name caching
> servers (i.e. resolvers only). An utterly brilliant (or hare brained)
> idea has emerge from out network security group to fight botnets on our
> network. The idea is to use the caching name servers to lobotomize the
> botnet. At least those bots on our network.
>
> Our security group can gather the DNS domains that are being used by the
> botnet control servers. The idea is to place the botnet control domains
> as authoritative domains as poison pills for the infected PC/servers.
> This list of poison pill domains would be automated to be updated
> automatically every 15-30 minutes.
>
> As a system admin I would have no difficulties in setting up the name
> caching server to do this. But the hostmaster in me is saying this is a
> bad idea. I already see issues with botnet domain gathering being
> poisoned by the bad guys. I can foresee scenarios of major legitimate
> domains show up in the poison domain list.
>
> My gut is also telling me that this is a bad idea from an operations
> point of view. But I'm not able to articulate why it would be a bad
> idea. This is getting way outside my area of expertise with DNS. So I'm
> putting the question to the DNS experts. Is this a good idea, or not?
More information about the dns-operations
mailing list