[dns-operations] Capturing Traffic

Mark Andrews marka at isc.org
Tue Feb 26 21:39:48 UTC 2013

In message <CAAAas8GO=c52a+UA1n9SALqy8uYBTBO1L3v_+EvO+3h7TXmrgw at mail.gmail.com>
, Mike Jones writes:
> On 26 February 2013 14:34, Cutler James R <james.cutler at consultant.com> wrote
> :
> > On Feb 26, 2013, at 8:32 AM, Carlos M. Martinez <carlosm3011 at gmail.com> wro
> te:
> >
> >> <Rant alert>
> >>
> >> Google might be doing X,Y or Z with DNS data, but IMO, the fact doesn't
> >> excuse ISPs border filtering requests or spoofing
> >>
> >>> <SNIP/>
> >
> > There is no business justification for spending the time and money to desig
> n and deploy DNS spoofing on speculation.
> >
> > Even more expensive will be the increase in support call costs.
> >
> > Topping it all will be the cost of good will loss when tampering with custo
> mer traffic is discovered.
> I wonder if anyone can come up with a justification for why you would
> intercept, but not, or, or,
> or....?
> There are cases where it is arguably OK to intercept DNS traffic, such
> as tightly controlled networks or certain netorks with visitors that
> might have manual DNS servers set instead of getting them from DHCP.

Twenty years ago that may have been reasonable but it hasn't been
for the last decade.  DHCP is use everywhere even with fixed equipment
to assign static addresses.  Today intecepting DNS just breaks
people trying to do DNSSEC.

You can't just divert DNS packets to a recursive server and have
it work.  You need a specialised server that doesn't follow the
full DNS protocol.  It has to recurse when not asked to.  It has
to fake "aa" responses.  It has to pass through signed requests

> I
> don't see these scenarios applying to any differently than it
> would apply to other DNS traffic (in practice, all port 53). While the
> arguments against messing with my packets it are still there, it is at
> least more consistent and therefore less likely to cause the same
> level of support nightmare.
> - Mike
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list