[dns-operations] rdns monitoring; passive dns; ISC SIE

paul vixie paul at redbarn.org
Fri May 18 03:11:25 UTC 2012

(thread fork)

On 5/17/2012 3:46 PM, Stephane Bortzmeyer wrote:
> ... Also, the problem you mention (different results from different
> resolvers, unlike the original DNS model of eventual consistency, with
> eventual meaning a very short time) is already a reality: we have
> DNSSEC issues, we have network issues, we have censorship, we have
> lying resolvers... Today, we already cannot assume that a DNS answer
> will be the same everywhere. dig is no longer sufficient to debug, we
> need a distributed monitoring.

on that narrow topic, let me say again that any recursive dns operator
including isp, university, enterprise, open, soho, or other... is
welcomed and requested to share their cache miss traffic with ISC via
our Security Information Exchange (SIE). you've all been listening to me
ask for this since 2008 or so, but since stephane has shined the policy
spotlight on the telemetry problem, i'll take the bait.

the way this works is, RDNS operators download and install our "nmsg"
software. it's BSD licensed, open source, and takes very little time to
set up and very little in the way of cpu time, disk space, or network
bandwidth to operate. your server then sends ISC a copy of its
server-to-server traffic -- so, there's no PII, no end-user IP
addresses, etc. your server need not be running BIND; the "nmsg"
software uses BPF (so, like tcpdump).

when we get your data we will broadcast it in real time to a tight and
well-vetted audience of academic and commercial DNS and security
researchers, and we throw it away. some of these researchers will use
your "cache miss" traffic to build Passive DNS databases by which they
can re-aggregate the content of DNS one transaction at a time, with some
impressive permuted indexing and cross correlation opportunities.

one of the researchers who will hear your data and build a Passive DNS
database out of it is ISC itself. our passive dns system is online at
https://dnsdb.isc.org/ and access to it is free for low volume
non-commercial use (so: law enforcement is welcome). but the point of
mentioning all of this is, we don't want your data for our own private
purposes -- we want all of the trustworthy and competent do-gooders in
the world (even the commercial ones) to have access to it.

think about passive dns for your RDNS servers, even if you don't also
decide to slave the root zone there.

more information is available on the web at http://rsf.isc.org/.


"I suspect I'm not known as a font of optimism." (VJS, 2012)

More information about the dns-operations mailing list