[dns-operations] resolvers considered harmful

Frank Sweetser fs at WPI.EDU
Wed Oct 22 17:20:43 UTC 2014

We make pretty heavy use of RPZ to block outbound malware traffic, especially 
to prevent people from inadvertently browsing malicious web sites.  I don't 
have the data myself, but I do know that our Infosec people saw a drop in 
infection rate when we put it in.  I'd hate to lose that mechanism completely.

Frank Sweetser fs at wpi.edu    |  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |           - HL Mencken

On 10/22/2014 12:47 PM, Mark Allman wrote:
> Short paper / crazy idea for your amusement ...
> Kyle Schomp, Mark Allman, Michael Rabinovich.  DNS Resolvers Considered
> Harmful, ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets),
> October 2014.  To appear.
> http://www.icir.org/mallman/pubs/SAR14/
> Abstract:
>    The Domain Name System (DNS) is a critical component of the Internet
>    infrastructure that has many security vulnerabilities.  In particular,
>    shared DNS resolvers are a notorious security weak spot in the system.
>    We propose an unorthodox approach for tackling vulnerabilities in
>    shared DNS resolvers: removing shared DNS resolvers entirely and
>    leaving recursive resolution to the clients.  We show that the two
>    primary costs of this approach---loss of performance and an increase
>    in system load---are modest and therefore conclude that this approach
>    is beneficial for strengthening the DNS by reducing the attack
>    surface.
> Comments welcome.
> allman
> --
> http://www.icir.org/mallman/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list