nanog mailing list archives
Re: What DNS Is Not
From: Valdis.Kletnieks () vt edu
Date: Mon, 09 Nov 2009 21:21:54 -0500
On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said:
For instance, returning the IP address of your company's port-80 web server instead of NXDOMAIN not only breaks non-port-80-http applications
Remember this...
There is one special case for which I don't mind having DNS servers
lie about query results,
which is the phishing/malware protection service. In that case, the
DNS response is redirecting you to
the IP address of a server that'll tell you
"You really didn't want to visit PayPa11.com - it's a fake" or
"You really didn't want to visit
dgfdsgsdfgdfgsdfgsfd.example.ru - it's malware".
It's technically broken, but you really _didn't_ want to go there anyway.
It's a bit friendlier to administrators and security people if the
response page gives you the
Returning bogus non-NXODMAIN gives non-port-80-http apps heartburn as well.
Attachment:
_bin
Description:
Current thread:
- Re: What DNS Is Not, (continued)
- Re: What DNS Is Not David Andersen (Nov 08)
- Re: What DNS Is Not David Conrad (Nov 08)
- Re: What DNS Is Not Paul Ferguson (Nov 08)
- Re: What DNS Is Not Scott Howard (Nov 08)
- Re: What DNS Is Not Paul Wall (Nov 08)
- Re: What DNS Is Not Joe Greco (Nov 08)
- Re: What DNS Is Not Simon Lyall (Nov 08)
- Re: What DNS Is Not Joe Abley (Nov 08)
- Re: What DNS Is Not Paul Vixie (Nov 09)
- Re: What DNS Is Not Bill Stewart (Nov 09)
- Re: What DNS Is Not Valdis . Kletnieks (Nov 09)
- Re: What DNS Is Not Andrew Cox (Nov 09)
- Re: What DNS Is Not Jack Bates (Nov 09)
- Re: What DNS Is Not Alex Balashov (Nov 09)
- Re: What DNS Is Not David Ulevitch (Nov 09)
- Re: What DNS Is Not Andrew Cox (Nov 09)
- Re: What DNS Is Not John Peach (Nov 10)
- Re: What DNS Is Not sthaug (Nov 10)
- Re: What DNS Is Not Florian Weimer (Nov 11)
- RE: What DNS Is Not Jason Granat (Nov 11)
- Re: What DNS Is Not Patrick W. Gilmore (Nov 11)