[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Paul Vixie paul at redbarn.org
Wed Aug 18 03:48:03 UTC 2021

On Wed, Aug 18, 2021 at 07:12:32AM +1000, Mark Andrews wrote:
> ... Everything that comes off the wire needs to be checked.
> Occasionally some checks will be missed.

when the arpanet and nsfnet were small and wizard-dense and noncommercial
and open source, it made sense to be liberal in what we accepted, and
conservative in what we generated.

with the internet now mainstream and commercial, and wizard-sparse and
criminal-infected and huge, it makes sense to be conservative in what we
accept, and even more conservative in what we generate.

check everything, like marka said. bounce bad stuff often. make problems
hot, early, and fast, for implementations by fresh undamaged programmers
who are ready to declare "works for me" and take off for their weekend.

Paul Vixie

More information about the dns-operations mailing list