[119217] in North American Network Operators' Group
Re: What DNS Is Not
daemon@ATHENA.MIT.EDU (Andrew Cox)
Mon Nov 9 23:16:15 2009
Date: Tue, 10 Nov 2009 14:45:19 +1030
From: Andrew Cox <andrew@accessplus.com.au>
To: Valdis.Kletnieks@vt.edu, nanog@merit.edu
In-Reply-To: <6028.1257819714@turing-police.cc.vt.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Shouldn't such apps be checking the content they receive back from a
server anyway?
Regardless of if they think they're getting to the right server (due to
a bogus non-NXDOMAIN response) there should be some sort of validation
in place.. otherwise you're open in any sort of man-in-the-middle attack.
I think the issue is more that older apps would expect that if they can
get a response then everything is ok.. perhaps this simply an outdated
method and needs to be rethought.
Valdis.Kletnieks@vt.edu wrote:
> On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said:
>
>
>> For instance, returning the IP address of your company's port-80 web
>> server instead of NXDOMAIN
>> not only breaks non-port-80-http applications
>>
>
> Remember this...
>
>
>> There is one special case for which I don't mind having DNS servers
>> lie about query results,
>> which is the phishing/malware protection service. In that case, the
>> DNS response is redirecting you to
>> the IP address of a server that'll tell you
>> "You really didn't want to visit PayPa11.com - it's a fake" or
>> "You really didn't want to visit
>> dgfdsgsdfgdfgsdfgsfd.example.ru - it's malware".
>> It's technically broken, but you really _didn't_ want to go there anyway.
>> It's a bit friendlier to administrators and security people if the
>> response page gives you the
>>
>
> Returning bogus non-NXODMAIN gives non-port-80-http apps heartburn as well.
>
>
