[dns-operations] solutions for DDoS mitigation of DNS
Fred Morris
m3047 at m3047.net
Fri Apr 3 00:51:50 UTC 2020
Yes, although if you don't believe us maybe you're looking in the wrong
place....
On Thu, 3 Apr 2020, John Levine wrote:
> In article <c3569cd8-ca3e-5557-0ad9-1141ef4fd9b0 at plum.ovh>,
> Tessa Plum <tessa at plum.ovh> wrote:
>> University has generally some private research projects who have their
>> domain names, but university won't let others see these domain names
>> unless the projects have got public.
>
> If those names are ever retrieved by users on networks outside your
> university, it's very likely that they're in public passive DNS
> databases that are widely visible. It is not realistic to believe
> that you can put names in your public DNS and not have the world
> know about them.
There is this thing called a "search list". Love 'em or hate 'em (kind of
like DNAMEs!).
Suppose your (ab)user is in a coffee shop (wearing appropriate hazmat gear
of course). They load their web browser. It's visited
secret-project.university-example.edu previously. Being extremely helpful,
the browser tries to prefetch the address for
secret-project.university-example.edu. When that doesn't work, it then
tries secret-project.university-example.edu.coffeeshop-example.com. And so
on, and so forth. (*cough* .cisco *cough* .belkin... no it's not COVID, I
seem to have some DNS caught in my throat...)
--
Fred Morris
More information about the dns-operations
mailing list