Re: DNS cache poisoning attacks -- are they real?

[Joe Maimon <jmaimon () ttec com>]

bmanning () vacation karoshi com wrote:
> On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:
<snip>
>         er... common best practice for YOU... perhaps.
>         dnsreport.com is apparently someone who agrees w/ you.
>         and i know why some COMMERCIAL operators want to squeeze
>         every last lira from the services they offer...
>         but IMRs w/ unrestricted access are a good a valuable tool
>         for the Internet community at large.
>
>         IMR? - you know, an Interative Mode Resolver aka caching server.
>
>
> > Joe
>
>
> --bill

Thanks for the feedback, bill and all else who have responded.

Just want to clarify -- Thats NOT my position, any resolvers (not like 
thats a great many big important ones like others here can attest to) I 
have run were not purposefully closed off from anyone (who was not being 
abusive).

Security is critical, but I am from the school that advocates leaving 
open that which

* may be usefull to others

* does not cost me {much} - cost is in terms of {money | cpu | ram | bw 
| mgmt | what have you}

* takes extra effort to close off

* Has no recent history of badness (insert your definition for "recent")

* Is easily verifiable (you should know real quick if your DNS cache is 
poisoned)

* avoids issues on how to make things work now that you have screwed it 
all up by denying resolving to all [insert all corner cases here] 
(simply as an example)

Easy to make a road, hard to make a prison.