North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS cache poisoning attacks -- are they real?
* Alex Bligh: > --On 26 March 2005 23:23 +0100 Florian Weimer <[email protected]> wrote: > >> Should we monitor for evidence of hijacks (unofficial NS and SOA >> records are good indicators)? Should we actively scan for >> authoritative name servers which return unofficial data? > > And what if you find them? If leaking unofficial data were considered a capital offense (in Internet terms), many ISPs would take action. Apparently, it's not, so detection is pretty much pointless. > The only way you are going to prevent packet level (as opposed to > organization level) DNS hijack is get DNSSEC deployed. DNS cache poisoning (at least in the form which prompted me to start this thread) is a quality-of-implementation issue. DNSSEC will not magically increase code quality (but it will definitely increase complexity), that's why I don't share the enthusiasm of the DNSSEC crowed. 8->
|