[dns-operations] No to port blocking! (Was: Why would an MTA issue an ANY query instead of an MX query?

Warren Kumari warren at kumari.net
Tue Jun 12 14:54:21 UTC 2012


On Jun 12, 2012, at 4:14 AM, Stephane Bortzmeyer wrote:

> On Tue, Jun 12, 2012 at 03:32:56AM +0000,
> Vernon Schryver <vjs at rhyolite.com> wrote 
> a message of 76 lines which said:
> 
>> Joe and Joan should be using their ISP's validating, load balancing,
>> well (or at least somewhat) maintained DNS servers, just as they
>> should be using their ISP's SMTP systems.
> 
> A strong NO here.

+lots.

> Politically, it would be a big nail in Net
> Neutrality's coffin. Also, many ISP have lying resolvers and customers
> should NOT use them. From a security perspective, it would be
> catastrophic since the last mile is not secured, so the only safe way
> to run DNSSEC is to validate locally (which requires access to port 53
> if the ISP resolver is lying).
> 

And it seems that the huge majority of "lying" is being performed at the ISP resolvers.

See the numerous papers on "NXDOMAIN rewriting", Paxfire / Xerocole / Barefruit, etc, one of the better of which is 
 Christian,  Nicholas and Vern's "Redirecting DNS for Ads and Profit" ( http://www.icir.org/christian/publications/2011-foci-dns.pdf )

There are also a huge number of really poorly run (and slow!) ISP recursive resolvers.

Having the ability to run your own validating recursive is critical…

W


> I leave these proposals to MAAWG and the Chinese government.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 

--
"Go on, prove me wrong. Destroy the fabric of the universe. See if I care."  -- Terry Prachett 





More information about the dns-operations mailing list