[dns-operations] resolvers considered harmful
Frank Sweetser
fs at WPI.EDU
Wed Oct 22 17:20:43 UTC 2014
We make pretty heavy use of RPZ to block outbound malware traffic, especially
to prevent people from inadvertently browsing malicious web sites. I don't
have the data myself, but I do know that our Infosec people saw a drop in
infection rate when we put it in. I'd hate to lose that mechanism completely.
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
Manager of Network Operations | is simple, elegant, and wrong.
Worcester Polytechnic Institute | - HL Mencken
On 10/22/2014 12:47 PM, Mark Allman wrote:
>
> Short paper / crazy idea for your amusement ...
>
> Kyle Schomp, Mark Allman, Michael Rabinovich. DNS Resolvers Considered
> Harmful, ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets),
> October 2014. To appear.
> http://www.icir.org/mallman/pubs/SAR14/
>
> Abstract:
> The Domain Name System (DNS) is a critical component of the Internet
> infrastructure that has many security vulnerabilities. In particular,
> shared DNS resolvers are a notorious security weak spot in the system.
> We propose an unorthodox approach for tackling vulnerabilities in
> shared DNS resolvers: removing shared DNS resolvers entirely and
> leaving recursive resolution to the clients. We show that the two
> primary costs of this approach---loss of performance and an increase
> in system load---are modest and therefore conclude that this approach
> is beneficial for strengthening the DNS by reducing the attack
> surface.
>
> Comments welcome.
>
> allman
>
>
> --
> http://www.icir.org/mallman/
>
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
More information about the dns-operations
mailing list