nanog mailing list archives
Great Suggestion for the DNS problem...?
From: "Jay R. Ashworth" <jra () baylink com>
Date: Mon, 28 Jul 2008 15:05:41 -0400
[ unthreaded to encourage discussion ] On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
Nameservers could incorporate poison detection... Listen on 200 random fake ports (in addition to the true query ports); if a response ever arrives at a fake port, then it must be an attack, read the "identified" attack packet, log the attack event, mark the RRs mentioned in the packet as "poison being attempted" for 6 hours; for such domains always request and collect _two_ good responses (instead of one), with a 60 second timeout, before caching a lookup. The attacker must now guess nearly 64-bits in a short amount of time, to be successful. Once a good lookup is received, discard the normal TTL and hold the good answer cached and immutable, for 6 hours (_then_ start decreasing the TTL normally).
Is there any reason which I'm too far down the food chain to see why that's not a fantastic idea? Or at least, something inspired by it? Cheers, -- jr 'IANAIE' a -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
Current thread:
- Great Suggestion for the DNS problem...? Jay R. Ashworth (Jul 28)
- Re: Great Suggestion for the DNS problem...? Colin Alston (Jul 28)
- RE: Great Suggestion for the DNS problem...? Tomas L. Byrnes (Jul 28)
- Re: Great Suggestion for the DNS problem...? Jay R. Ashworth (Jul 28)
- Re: Great Suggestion for the DNS problem...? Colin Alston (Jul 28)
- Re: Great Suggestion for the DNS problem...? Tony Finch (Jul 29)
- Re: Great Suggestion for the DNS problem...? Colin Alston (Jul 29)
- Re: Great Suggestion for the DNS problem...? Laurence F. Sheldon, Jr. (Jul 29)
- Re: Great Suggestion for the DNS problem...? Steven M. Bellovin (Jul 29)
- Re: Great Suggestion for the DNS problem...? Mohacsi Janos (Jul 29)
- Re: Great Suggestion for the DNS problem...? Mikael Abrahamsson (Jul 29)
- RE: Great Suggestion for the DNS problem...? Tomas L. Byrnes (Jul 28)
- Re: Great Suggestion for the DNS problem...? Colin Alston (Jul 28)