North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: On-going Internet Emergency and Domain Names

  • From: David Ulevitch
  • Date: Wed Apr 04 15:00:39 2007

Paul Vixie wrote: 
...
Back to reality and 2007:
In this case, we speak of a problem with DNS, not sendmail, and not bind.

As to blacklisting, it's not my favorite solution but rather a limited
alternative I also saw you mention on occasion. What alternatives do you
offer which we can use today?

on any given day, there's always something broken somewhere.

in dns, there's always something broken everywhere.

since malware isn't breaking dns, and since dns not a vector per se, the
idea of changing dns in any way to try to control malware strikes me as
a way to get dns to be broken in more places more often.

I'd say it's a way to get DNS to be more inconsistent and it's likely to happen. Broken is both in the eye of the beholder and in the eye of the end-user.

but, isp's responsible for large broadband populations could do this in their
recursion farms

That's right. And it will perpetuate the arms race of whitehats vs. blackhats. But that's no reason not to add intelligence into the DNS -- either in-band or out-of-band. Most of us already do some level of DNS intelligence out-of-band (passive dns, uribls, etc) and the power of doing it in-band is a logical next step.

fundamentally, this isn't a dns technical problem, and using dns technology
to solve it will either not work or set a dangerous precedent.  and since
the data is authentic, some day, dnssec will make this kind of poison
impossible.

Unfortunately, that day, if it ever comes, will come after bot herders stop using DNS to manage their botnets because other mitigation strategies will have already forced them to move on.

-David