[dns-operations] No to port blocking! (Was: Why would an MTA issue an ANY query instead of an MX query?
Warren Kumari
warren at kumari.net
Tue Jun 12 14:54:21 UTC 2012
On Jun 12, 2012, at 4:14 AM, Stephane Bortzmeyer wrote:
> On Tue, Jun 12, 2012 at 03:32:56AM +0000,
> Vernon Schryver <vjs at rhyolite.com> wrote
> a message of 76 lines which said:
>
>> Joe and Joan should be using their ISP's validating, load balancing,
>> well (or at least somewhat) maintained DNS servers, just as they
>> should be using their ISP's SMTP systems.
>
> A strong NO here.
+lots.
> Politically, it would be a big nail in Net
> Neutrality's coffin. Also, many ISP have lying resolvers and customers
> should NOT use them. From a security perspective, it would be
> catastrophic since the last mile is not secured, so the only safe way
> to run DNSSEC is to validate locally (which requires access to port 53
> if the ISP resolver is lying).
>
And it seems that the huge majority of "lying" is being performed at the ISP resolvers.
See the numerous papers on "NXDOMAIN rewriting", Paxfire / Xerocole / Barefruit, etc, one of the better of which is
Christian, Nicholas and Vern's "Redirecting DNS for Ads and Profit" ( http://www.icir.org/christian/publications/2011-foci-dns.pdf )
There are also a huge number of really poorly run (and slow!) ISP recursive resolvers.
Having the ability to run your own validating recursive is critical…
W
> I leave these proposals to MAAWG and the Chinese government.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
--
"Go on, prove me wrong. Destroy the fabric of the universe. See if I care." -- Terry Prachett
More information about the dns-operations
mailing list