|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS cache poisoning attacks -- are they real?
Suresh Ramasubramanian wrote: On Sat, 26 Mar 2005 17:52:56 -0500 (EST), Sean Donelan <[email protected]> wrote: <snip> Slightly OT to parent thread...on the subject of open dns resolvers.Thank $DEITY for large ISPs running open resolvers on fat pipes .. those do come in quite handy in a resolv.conf sometimes, when I run into this sort of behavior. --srs Common best practices seem to suggest that doing so is a bad thing. DNS documentation and http://www.dnsreport.com appear to view this negatively. Is that the consensus among operators here? Does anyone feel that in spite of the {negligble} risk involved, since any abuse would be local in nature (as opposed to SMTP open relay) one should be good neighborly in this way? Or perhaps the prospect of yet another list of $IP_BLOCKS_THAT_ARE_OUR_NETWORK make this a low priority on the TODO list of DNS operators? Yes, if your resolvers are open to the world, cache poisoning becomes a lot easier and better targetted -- but then, if your resolvers are vulnerable to that, you would get bit by it sooner or later anyways. Joe
|