nanog mailing list archives
Re: DNS cache poisoning attacks -- are they real?
From: Joe Maimon <jmaimon () ttec com>
Date: Sun, 27 Mar 2005 16:42:55 -0500
bmanning () vacation karoshi com wrote:
On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:
<snip>
er... common best practice for YOU... perhaps. dnsreport.com is apparently someone who agrees w/ you. and i know why some COMMERCIAL operators want to squeeze every last lira from the services they offer... but IMRs w/ unrestricted access are a good a valuable tool for the Internet community at large. IMR? - you know, an Interative Mode Resolver aka caching server.Joe--bill
Thanks for the feedback, bill and all else who have responded.Just want to clarify -- Thats NOT my position, any resolvers (not like thats a great many big important ones like others here can attest to) I have run were not purposefully closed off from anyone (who was not being abusive).
Security is critical, but I am from the school that advocates leaving open that which
* may be usefull to others* does not cost me {much} - cost is in terms of {money | cpu | ram | bw | mgmt | what have you}
* takes extra effort to close off * Has no recent history of badness (insert your definition for "recent")* Is easily verifiable (you should know real quick if your DNS cache is poisoned)
* avoids issues on how to make things work now that you have screwed it all up by denying resolving to all [insert all corner cases here] (simply as an example)
Easy to make a road, hard to make a prison.
Current thread:
- Re: DNS cache poisoning attacks -- are they real?, (continued)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Sam Hayes Merritt, III (Mar 29)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? bmanning (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 27)
- Blocking port 53 Sean Donelan (Mar 27)
- Re: Blocking port 53 Randy Bush (Mar 27)
- Re: Blocking port 53 John Levine (Mar 27)
- how about the basics? [was: Re: Blocking port 53] Gadi Evron (Mar 28)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 28)