[dns-operations] Capturing 22.214.171.124 Traffic
paul.hoffman at vpnc.org
Mon Feb 25 20:52:02 UTC 2013
On Feb 25, 2013, at 12:17 PM, Carlos M. Martinez <carlosm3011 at gmail.com> wrote:
> I know. And I agree. But we are all seeing people going to 126.96.36.199, even
> people at home.
> So maybe having an alternative you can locally 'spoof' wouldn't hurt.
It will hurt, in ways that you cannot predict. And, when the hurt comes, you will probably be defensive about the spoofing because you had some reason at the beginning to do it.
In the example that started this thread, let's assume X captures the queries to 188.8.131.52 and spoof. Then Google turns on DNSSEC validation but X doesn't. Then someone gets hurt in a way that would not have happened if the answers actually came from 184.108.40.206. X's reply is "the queries to 220.127.116.11 were taking too long!".
X has made one tradeoff that the customer didn't. Worse, in the meantime, the latency of 18.104.22.168 for the customer might have gone way down and X didn't notice it.
It will always hurt because it will always last longer than intended.
More information about the dns-operations