|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS cache poisoning attacks -- are they real?
[email protected] wrote: On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote: <snip> Thanks for the feedback, bill and all else who have responded.er... common best practice for YOU... perhaps. dnsreport.com is apparently someone who agrees w/ you. and i know why some COMMERCIAL operators want to squeeze every last lira from the services they offer... but IMRs w/ unrestricted access are a good a valuable tool for the Internet community at large. IMR? - you know, an Interative Mode Resolver aka caching server.Joe--bill Just want to clarify -- Thats NOT my position, any resolvers (not like thats a great many big important ones like others here can attest to) I have run were not purposefully closed off from anyone (who was not being abusive). Security is critical, but I am from the school that advocates leaving open that which * may be usefull to others * does not cost me {much} - cost is in terms of {money | cpu | ram | bw | mgmt | what have you} * takes extra effort to close off * Has no recent history of badness (insert your definition for "recent") * Is easily verifiable (you should know real quick if your DNS cache is poisoned) * avoids issues on how to make things work now that you have screwed it all up by denying resolving to all [insert all corner cases here] (simply as an example) Easy to make a road, hard to make a prison.
|