[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Joe Greco jgreco at ns.sol.net
Sat Jul 16 12:29:24 UTC 2011

> Provisions in U.S. legislation designed to protect copyright online
> could break the Internet's Domain Name System by driving users to
> untrusted DNS services outside the U.S., a group of Internet engineers
> said Thursday.
> http://www.cio.com/article/686212/Engineers_PROTECT_IP_Act_Would_Break_DNS?page=1&taxonomyId=3058

Let me challenge this group with the following question, with big
long lengthy lead-in.

For years, operators have had this odd fascination and fixation with
providing "DNS services".  Offering recursers is nice and an ISP
probably ought to do it for a number of reasons.

This mentality has been extended to services like OpenDNS and whatever
Google calls its offering (sorry), which move the recurser even farther
away from the end user.  There may be some value-add offered by such 
services, but also some brokenness added, as DNS-based geoloc and 
multicast services misidentify clients, etc.

Now, ten to fifteen years ago, when I was designing large scale DNS
recurser offerings for service providers, we were using gear like dual
CPU 1GHz / 1GB-2GB RAM for recursers, machines capable of handling the
resolution requests of maybe a hundred thousand dialup and DSL 

Also, in the past decade, what was once considered a heavy duty server
is now available in the form factor of my cell phone.  The resources
to do resolution locally exist.

At what point are we going to lose the fascination we have of keeping
these big juicy recursers as targets?  We've seen how they're vulnerable
to spoofing and corruption attacks.  This went from theoretical-but-
not-too-practical back in the late 90's-early 00's to "holy **** this
is actually happening" a few years ago.

Centralized DNS recursers made a ton of sense back when the average
campus Internet connection was a 56K or frac-T1 line; the reduction
in traffic was meaningful, and the resources to provide recursion were
relatively substantial.

So, my question is this:  Why aren't we pushing the recurser closer
to the user at this point?

Your average CPE device is already offering DHCP and maybe some basic
content filtering services to LAN clients.  The CPU (but maybe not the
RAM) on these guys is sufficient for doing modest amounts of recursion
work for local clients.

If we remain married to this idea of centralized control over recursion,
that control is going to remain a tempting target for policymakers who
want to impose a fix for their Big Problem Of The Day.  What things 
should be blocked?  Malware?  Child pornography?  Alleged IP 
infringement?  Gambling?  Forums critical of the US Government?  The
slippery slope.

I don't understand the mentality here.  Why does recursion need to be
operated centrally?  It wasn't designed that way.

I'm going to keep this on the short side and see what people have to
say, but there's obviously more to discuss here.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list