[dns-operations] Massive DNS poisoning attacks in Brazil

Vernon Schryver vjs at rhyolite.com
Wed Oct 3 01:42:37 UTC 2012

> From: Paul Vixie <paul at redbarn.org>
> To: David Conrad <drc at virtualized.org>
> CC: Vernon Schryver <vjs at rhyolite.com>, dns-operations at lists.dns-oarc.net

> >> The only reasonable solution is to give stub resolvers some of the
> >> features of recursive resolvers including DNSSEC validation and caching
> >> to make the costs of DNSSEC tolerable.

> > Why not get rid of stub resolvers completely and simply use recursive resolvers?

I think the code to parse the BIND9 configuration grammar and nothing
more would be excessive and grotesque.    The code to support all of
that stuff would be obscene.
As far as only DNSSEC is concerned, you don't need a lot of the
complications that a real authority server needs.  (e.g. special NSEC3
database trees or lists to make big zones less slow.)

Of course, if the only available code for your situation is BIND, then
you could use BIND with a tiny configuration file.  The package would
be smaller than current Firefox binaries that send me running and
screaming in horror.

> there's an urban legend about how the authority servers depend on
> caching by intermediate recursives and that if every end system had its
> own recursive server on board the authorities would melt.

> real traffic it might get the dreck percentage down to 80% but it
> wouldn't melt anything.

No matter how over-provisioned authority servers are, I don't understand
why making stubbs more like real resolvers should increase traffic to
authority servers.  Why couldn't you do the equivalent of moving the
DNS servers named in the system's equivalent of /etc/resolv.conf to
the equivalent of a BIND forwarders{} statement and putting "localhost"
into resolv.conf?

A full featured DNS server can't bypass men in the middle any more
than a bare bones DNSSEC validating caching forwarder.  There's no
security reason to go to the real authority servers if your local DNS
servers are corrupt.  The bad guys who corrupted them can attack your
DNS traffic going outside.  All you can reliably do is detect evil,
and only if you can somehow get the root key.  Detecting evil is often
enough of the battle.  In many (but certainly not all) cases, the bad
guys react to sunshine like other vampires.  In the other cases,
you can choose to not play the game by their rules or at all.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list