North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Sitefinder II, the sequel...

  • From: Chris Woodfield
  • Date: Thu Jul 13 09:36:52 2006

Going off on something of a tangent, I'd be really curious what sort of efforts OpenDNS are making/will need to make in order to limit their servers' utility as a relay for amplification attacks (which I'm listening to a discussion on at IETF as I type). evil-01.txt

On Jul 13, 2006, at 8:08 AM, Patrick W. Gilmore wrote:

On Jul 13, 2006, at 3:39 AM, Simon Waters wrote:

Most of those I know try to deploy recursive services as close as possible to
the client, avoiding where possible alternative views of the DNS, and

Would that everyone did what the people you know do.

Unfortunately, there are a few providers doing things like outsourcing their recursive service to, say, their upstream, or having one "node" of recursive servers anywhere in the world for all their end users. These providers violate the first part of your sentence.

The second part doesn't make any sense to me. It seems that having multiple, geographically disparate recursive name servers would be more likely to present an "alternative [view] of the DNS". (In fact, I can prove that's true in at least some cases. :) So you are actually arguing -against- your first point.

That said, no one has yet said why it is necessary, or even desirable, to have a completely homogenous view of the world.

Perhaps time to ask Brad, Paul and Cricket what they think, and have answers
to their comments.

Perhaps. However, in the last DNS related thread, Paul made a pretty strong claim (violating a protocol) and showed exactly _ZERO_ facts to back it up, despite being asked at least five times (by my count).

With automated responses to "bad things", it is usually best to minimise the
scope of the change. Similarly typo correction makes sense for URLs, but not
for most other uses of the DNS (hence the proviso you make to switch it off
if you use RBL, although I'd say switch it off for all email servers less you
start correcting spambot crud, our email servers make a DNS check on the
senders domain, that doesn't want correcting either), so the answer is
probably browser plug-in (although most browsers already try to guess what
you meant to some extent).

Perhaps something as simple as a preference only 'correcting' queries that begin with "www"?