[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Kristof Tuyteleers kristof.tuyteleers at dnsbelgium.be
Wed Sep 7 09:59:53 UTC 2016 

On 07/09/16 03:51, "dns-operations on behalf of Paul Vixie" <dns-operations-bounces at dns-oarc.net on behalf of paul at redbarn.org> wrote:

    “do you remember when spammers did not have easy and cheap access to 
    large numbers of throwaway domain names? they used to put dotted quads 
    into their message bodies. along came spamassassin, treating dotted 
    quads in message bodies as spam-sign. now, spammers can get all the 
    cheap throwaway domains they will ever need, and spam is harder to 
    detect. in this way we did nothing but drive our own costs up and 
    improve the educations and capabilities of spammers everywhere. i would 
    like the security industry to please stop behaving this way. just 
    because "something has got to be done" does not equivocate all values of 
    "something". some things should NOT be done.”

Although this discussion is still quite amusing, I think we are turning in circles.
I really like the above example. Nowadays if you replace spam/cheap throwaway domains with DDOS/IOT devices (a marketing label for end consumer devices with vendor lock in that are always connected to the internet and that never get security updates) that’s reality. And just like always recycling the BCP38 topic, fingerpointing to this fact will not help to solve the problem.

So there are multiple scenario’s. 
- Just admit that we are helpless. We lost the fight against those cyber hooligans and we don’t have the strength/ideas/tools to reeducate those big vendors that lack security practices.
- Another option is to keep fighting about measurements. So we shouldn’t block ANY queries. Should we rewrite the RFC to not use source port 53 for outgoing queries anymore? Should we rewrite the RFC to only allow cryptographic algorithms with smaller key sizes? This can lead to interesting discussions, but it does not get us to the source of the problem.
- Solve (or at least try) the base problem. The dark side operates fast and effective in a globally connected world where the number of artefacts (= attack enablers) increases every second. Can we as a DNS community make the DNS ecosystem more bulletproof and less interesting for cyber-attacks by strengthening and hardening the technical standards? Do we think we (still?) have the decision making power to drop (or not) service access for those artefacts that undermine global security?


Kind regards,
Kristof

More information about the dns-operations mailing list