[dns-operations] A DNS and network security forced marriage

Otmar Lendl ol at bofh.priv.at
Mon Mar 15 16:25:09 UTC 2010

On 12.03.2010 18:04, Stephen L Johnson wrote:
> My gut is also telling me that this is a bad idea from an operations
> point of view. But I'm not able to articulate why it would be a bad
> idea. This is getting way outside my area of expertise with DNS. So I'm
> putting the question to the DNS experts. Is this a good idea, or not?

As others have already said, this is a pretty invasive approach and may
backfire in both operational (domains you really need to access) and
security (too much reliance on this) ways.

What I'd recommend to you is to push the whole idea from a counter-measure
approach to a detection approach: Try to get query-logs out of your
recursors (either directly from the nameserver or using some
packet-capturing setup) and match them against your list of malicious domains.

That way, you can work aggressively on cleaning up bot infections, get some
statistics on false positives without causing collateral damage, and thus
solve the core of the problem (bot infections) and not just try to put
band-aid on them.

-=-  Otmar Lendl  --  ol at bofh.priv.at  --  http://lendl.priv.at/  -=-

More information about the dns-operations mailing list