[dns-operations] DNS namespace collisions and "controlled interruption"

Jeff Schmidt jschmidt at jasadvisors.com
Fri Jan 10 15:56:56 UTC 2014


I'm not sure I understand this thinking precisely - if Joe Employee has a
problem accessing Acme's resources (the bookmarked web page) isn't he
likely to seek support from Acme?  Even if said attempted access happens
from home or a coffee shop, we all know that IT departments wind-up
supporting, um, a variety of use scenarios.  :-)

I think in your example:

1). Joe will get a 127/8 back and thus probably a connection refused or
timeout error at the application layer.

2). Importantly, his traffic will have never left his host, so it almost
certainly won't be exposed to sniffing at the open coffee shop wifi or his
compromised home router.

3). Importantly, he will have been protected from someone "else" sending
him something "else" back in response to his DNS query.

4). Since he's trying to access an Acme employee site, he'll probably call
Jane over in IT, who will troubleshoot from there.

The error and keeping the traffic on loopback are examples of "failing
closed" which is the type of conservatism we wanted to achieve.  Of course
Joe's query into .home from the coffee shop would never have worked, but
this adds a period of safety and determinism that doesn't otherwise exist.
 And it helps Jane troubleshoot.


Does that make sense?

Thx,
Jeff



On 1/10/14 6:26 AM, "Ray Bellis" <Ray.Bellis at nominet.org.uk> wrote:

>
>On 10 Jan 2014, at 11:28, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
>> I suspect that, in many cases, the leak comes from systems which are
>> not under the direct control of the system administrator.
>> 
>> 1) Jane Sysadmin, who works for Acme Corp, decides (wrongly) to use
>> .HOME for the local pseudo-TLD of Acme
>> 
>> 2) Employees of Acme Corp stores bookmarks in their Web browser, some
>> bookmarks include ".home/", for instance http://corpinfo.home/
>> 
>> 3) Joe Employee goes back home with his laptop or pad and selects the
>> wrong bookmark. Bang! A DNS request for corpinfo.home is done (and
>> elicits a 127.0.53.53 response to the poor Joe). But Jane Sysadmin
>> will never see it or heard about it. Even the NSA, monitoring the root
>> name servers, will not know that it is related to Acme.
>
>That's exactly my theory for many of the bad queries to the root, too.
>
>The other source isn't just bookmarks but links exchanged by email with
>references to internal URLs.  It happens here, where we often see links
>with local (unqualified) hostnames instead of FQDNs.
>
>Ray
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140110/4280555a/attachment.bin>


More information about the dns-operations mailing list