North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS: Definitely Not Safe?
MARLON BORBA wrote:
Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks.
I am not shure wether the author isn't walking beside his shoes.
DNS is like a telephone book.
Yes it is dangerous to have your telephone number listed in a publicly available book. We should forbid telephone books and the world would me much safer?
If you are afraid of people using axfr to slave a nameserver then dont publish it. Use /etc/hosts not DNS and best dont tell anybody your ip-address.
In some places (Africa ?) root-servers may be difficult to see, so why not clone them and have the root on your local network? If they are attacked again - no problem. Your personal root-server will survive at least a month without them. Of course you need axfr transfers to do that.
I dont know how you can use axfr transfers to DoS somebody else but yourself. It is a tcp connection after all. You need to be connected. Overloading electricity supply like the NSA tries to do is a lot more efficent.
Rests recursive nameservers, resolvers. Yes, that could help. Forbid all publicly available resolvers including those of your ISP then attackers, mostly running windows in their botnets will not find their targets any longer.
The big problem is IT-personal relying on windows for their backbones. You cannot help them, only an attack can.
I remember companies used to run their own internal nameservers. Why dont they do it any longer? DNS has become so much more relyable that they dont need to.