[119213] in North American Network Operators' Group
Re: What DNS Is Not
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Nov 9 21:22:55 2009
To: Bill Stewart <nonobvious@gmail.com>
In-Reply-To: Your message of "Mon, 09 Nov 2009 15:04:06 PST."
<18a5e7cb0911091504t60035f2m902eb7873c3e7e14@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 09 Nov 2009 21:21:54 -0500
Cc: nanog@merit.edu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1257819714_2841P
Content-Type: text/plain; charset=us-ascii
On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said:
> For instance, returning the IP address of your company's port-80 web
> server instead of NXDOMAIN
> not only breaks non-port-80-http applications
Remember this...
> There is one special case for which I don't mind having DNS servers
> lie about query results,
> which is the phishing/malware protection service. In that case, the
> DNS response is redirecting you to
> the IP address of a server that'll tell you
> "You really didn't want to visit PayPa11.com - it's a fake" or
> "You really didn't want to visit
> dgfdsgsdfgdfgsdfgsfd.example.ru - it's malware".
> It's technically broken, but you really _didn't_ want to go there anyway.
> It's a bit friendlier to administrators and security people if the
> response page gives you the
Returning bogus non-NXODMAIN gives non-port-80-http apps heartburn as well.
--==_Exmh_1257819714_2841P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFK+M5CcC3lWbTT17ARAtctAJ44xD/cEYo38/xBPt/aRe9frKV3wwCghmSN
8XFXMP3LBYzpLucdS4qERHw=
=WFgR
-----END PGP SIGNATURE-----
--==_Exmh_1257819714_2841P--
