Re: DNS cache poisoning attacks -- are they real?

[Joe Maimon <jmaimon () ttec com>]

Suresh Ramasubramanian wrote:
> On Sat, 26 Mar 2005 17:52:56 -0500 (EST), Sean Donelan <sean () donelan com> wrote:
<snip>
> Thank $DEITY for large ISPs running open resolvers on fat pipes ..
> those do come in quite handy in a resolv.conf sometimes, when I run
> into this sort of behavior.
>
> --srs

Slightly OT to parent thread...on the subject of open dns resolvers.

Common best practices seem to suggest that doing so is a bad thing. DNS 
documentation and http://www.dnsreport.com appear to view this negatively.

Is that the consensus among operators here? Does anyone feel that in 
spite of the {negligble} risk involved, since any abuse would be local 
in nature (as opposed to SMTP open relay) one should be good neighborly 
in this way? Or perhaps the prospect of yet another list of 
$IP_BLOCKS_THAT_ARE_OUR_NETWORK make this a low priority on the TODO 
list of DNS operators?

Yes, if your resolvers are open to the world, cache poisoning becomes a 
lot easier and better targetted -- but then, if your resolvers are 
vulnerable to that, you would get bit by it sooner or later anyways.

Joe