[dns-operations] resolvers considered harmful
Joe Greco
jgreco at ns.sol.net
Wed Oct 22 19:35:13 UTC 2014
> Matthew Pounsett <matt at conundrum.com>:
> > The paper also appears to make the assumption that eliminating
> > existing resolvers is a thing we can do. Open recursive resolvers
> > won=92t go away simply because we, as an industry, decide to stop
> > setting up new ones. There=92s no way to prevent them from sending
> > queries (or to selectively block them), and they are almost by
> > definition unmanaged, so we cannot expect they will be taken offline
> > by their respective administrators.=20
>
> Sure. I agree with this. But, if we make clients default to not using
> resolvers then the harm resolvers can do is reduced. I.e., so what if I
> can cache poison a CPE if none of the clients behind it utilize the CPE
> for lookups?
Then we merely move on to the issue of cache poisoning individual
clients.
Assuming that the CPE is a NAT (effectively firewalling clients from
poisoning attacks) and/or that the individual clients have well-
designed, impervious resolvers is likely to be a fail. Remember that
IPv6 is coming...
We already have a lot of abandonware Internet-connected devices out
there, random devices running some variant of BusyBox or whatever that
need to be able to do hostname lookups. So, great, we do what, we put
BIND 9 on them? And then never patch them once the product warranty
has expired?
That's going to end well.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations
mailing list