North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Sitefinder II, the sequel...
- From: Chris Woodfield
- Date: Thu Jul 13 09:36:52 2006
Going off on something of a tangent, I'd be really curious what sort
of efforts OpenDNS are making/will need to make in order to limit
their servers' utility as a relay for amplification attacks (which
I'm listening to a discussion on at IETF as I type).
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-
evil-01.txt
On Jul 13, 2006, at 8:08 AM, Patrick W. Gilmore wrote:
On Jul 13, 2006, at 3:39 AM, Simon Waters wrote:
Most of those I know try to deploy recursive services as close as
possible to
the client, avoiding where possible alternative views of the DNS, and
forwarding.
Would that everyone did what the people you know do.
Unfortunately, there are a few providers doing things like
outsourcing their recursive service to, say, their upstream, or
having one "node" of recursive servers anywhere in the world for
all their end users. These providers violate the first part of
your sentence.
The second part doesn't make any sense to me. It seems that having
multiple, geographically disparate recursive name servers would be
more likely to present an "alternative [view] of the DNS". (In
fact, I can prove that's true in at least some cases. :) So you
are actually arguing -against- your first point.
That said, no one has yet said why it is necessary, or even
desirable, to have a completely homogenous view of the world.
Perhaps time to ask Brad, Paul and Cricket what they think, and
have answers
to their comments.
Perhaps. However, in the last DNS related thread, Paul made a
pretty strong claim (violating a protocol) and showed exactly
_ZERO_ facts to back it up, despite being asked at least five times
(by my count).
With automated responses to "bad things", it is usually best to
minimise the
scope of the change. Similarly typo correction makes sense for
URLs, but not
for most other uses of the DNS (hence the proviso you make to
switch it off
if you use RBL, although I'd say switch it off for all email
servers less you
start correcting spambot crud, our email servers make a DNS check
on the
senders domain, that doesn't want correcting either), so the
answer is
probably browser plug-in (although most browsers already try to
guess what
you meant to some extent).
Perhaps something as simple as a preference only 'correcting'
queries that begin with "www"?
--
TTFN,
patrick
|