[dns-operations] resolvers considered harmful

Joe Greco jgreco at ns.sol.net
Wed Oct 22 19:35:13 UTC 2014

> Matthew Pounsett <matt at conundrum.com>:
> > The paper also appears to make the assumption that eliminating
> > existing resolvers is a thing we can do.  Open recursive resolvers
> > won=92t go away simply because we, as an industry, decide to stop
> > setting up new ones.  There=92s no way to prevent them from sending
> > queries (or to selectively block them), and they are almost by
> > definition unmanaged, so we cannot expect they will be taken offline
> > by their respective administrators.=20
> Sure.  I agree with this.  But, if we make clients default to not using
> resolvers then the harm resolvers can do is reduced.  I.e., so what if I
> can cache poison a CPE if none of the clients behind it utilize the CPE
> for lookups?

Then we merely move on to the issue of cache poisoning individual

Assuming that the CPE is a NAT (effectively firewalling clients from
poisoning attacks) and/or that the individual clients have well-
designed, impervious resolvers is likely to be a fail.  Remember that
IPv6 is coming...

We already have a lot of abandonware Internet-connected devices out
there, random devices running some variant of BusyBox or whatever that
need to be able to do hostname lookups.  So, great, we do what, we put
BIND 9 on them?  And then never patch them once the product warranty
has expired?

That's going to end well.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list