[106450] in North American Network Operators' Group
Re: Great Suggestion for the DNS problem...?
daemon@ATHENA.MIT.EDU (Paul Vixie)
Mon Jul 28 21:25:00 2008
To: nanog@merit.edu
From: Paul Vixie <vixie@isc.org>
Date: Tue, 29 Jul 2008 01:24:43 +0000
In-Reply-To: <20080728190541.GG15946@cgi.jachomes.com> (Jay R. Ashworth's
message of "Mon\, 28 Jul 2008 15\:05\:41 -0400")
X-Vix-MailScanner-From: vixie@isc.org
Errors-To: nanog-bounces@nanog.org
jra@baylink.com ("Jay R. Ashworth") writes:
> [ unthreaded to encourage discussion ]
>
> On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
>> Nameservers could incorporate poison detection...
>>
>> Listen on 200 random fake ports (in addition to the true query ports);
>> if a response ever arrives at a fake port, then it must be an attack,
>> read the "identified" attack packet, log the attack event, mark the
>> RRs mentioned in the packet as "poison being attempted" for 6 hours;
>> for such domains always request and collect _two_ good responses
>> (instead of one), with a 60 second timeout, before caching a lookup.
>>
>> The attacker must now guess nearly 64-bits in a short amount of time,
>> to be successful. Once a good lookup is received, discard the normal
>> TTL and hold the good answer cached and immutable, for 6 hours (_then_
>> start decreasing the TTL normally).
>
> Is there any reason which I'm too far down the food chain to see why
> that's not a fantastic idea? Or at least, something inspired by it?
at first glance, this is brilliant, though with some unimportant nits.
however, since it is off-topic for nanog, i'm going to forward it to
the namedroppers@ops.ietf.org mailing list and make detailed comments
there.
--
Paul Vixie
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
