[dns-operations] Capturing Traffic

Paul Hoffman paul.hoffman at vpnc.org
Mon Feb 25 20:52:02 UTC 2013

On Feb 25, 2013, at 12:17 PM, Carlos M. Martinez <carlosm3011 at gmail.com> wrote:

> I know. And I agree. But we are all seeing people going to, even
> people at home.
> So maybe having an alternative you can locally 'spoof' wouldn't hurt.

It will hurt, in ways that you cannot predict. And, when the hurt comes, you will probably be defensive about the spoofing because you had some reason at the beginning to do it.

In the example that started this thread, let's assume X captures the queries to and spoof. Then Google turns on DNSSEC validation but X doesn't. Then someone gets hurt in a way that would not have happened if the answers actually came from X's reply is "the queries to were taking too long!".

X has made one tradeoff that the customer didn't. Worse, in the meantime, the latency of for the customer might have gone way down and X didn't notice it.

It will always hurt because it will always last longer than intended.

--Paul Hoffman

More information about the dns-operations mailing list