[dns-operations] resolvers considered harmful

Mark Andrews marka at isc.org
Thu Oct 23 01:51:07 UTC 2014

In message <20141023010708.28BF611FC3E1 at lawyers.icir.org>, Mark Allman writes:
> Let me try to take care of both of these related points together:
> Joe Greco <jgreco at ns.sol.net>:
> > Then we merely move on to the issue of cache poisoning individual
> > clients.
> > 
> > Assuming that the CPE is a NAT (effectively firewalling clients from
> > poisoning attacks) and/or that the individual clients have well-
> > designed, impervious resolvers is likely to be a fail.
> David Conrad <drc at virtualized.org>:
> > As I understand it, you're proposing pushing the resolvers out to the
> > edges 
> That is not what we are proposing.  We are not suggesting resolvers be
> *moved*, but rather *removed*.  That is, clients simply do name lookup
> on their own.
> Name lookup at an endpoint is different from name lookup in an
> intermediate resolver.  
> An intermediate resolver looks up a name on behalf of other hosts.  It
> therefore *must* listen for lookup requests that roll in from the
> network.  This is fundamental to a resolver's operation---it simply
> *must* accept requests from other hosts.  Don't get me wrong.... it
> doesn't have to accept all requests and as we know, too many resolvers
> accept requests they should not.  All I am saying is that the resolver
> cannot do its job without accepting requests from other hosts.
> On the other hand, an endpoint can look up a name without listening for
> any request from the network.  We suggest this be an entirely local
> operation.  Think of it like this: just because I want to load the
> cnn.com web page I don't have to run httpd.  Well, just because I want
> to look up an A record for cnn.com doesn't mean I have to run bind.

Firstly it isn't "bind" it is "BIND".  

Secondly why not run BIND?  It works fine only listening on and

It actually does do DNSSEC validation and everything else you would want
a iterative resolver to do with sensible defaults.

	options {
		listen-on {; };
		listen-on-v6 { ::1; };
		dnssec-validation auto;
		directory "/var/named";

It also isolates all your clients from the big bad world of broken
authoritative servers.  It's also easier to upgrade than every
application that makes a DNS lookup.

> Could there be attacks against the internal lookup process on a host?
> Of course.  But, those are attacks that require some sort of access to
> the end host first.
> David Conrad <drc at virtualized.org>:
> > if you're not doing DNSSEC at the edges,
> Let me be clear.... I am not arguing against DNSSEC.  A crypto signed
> record is always better than a clear text record.  But, DNSSEC is still
> not here and it seems to me that factoring out some of the
> intermediaries that we know sometimes both play games and have games
> played on them may well be a useful path.
> allman
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list