[119988] in North American Network Operators' Group
Re: news from Google
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Sun Dec 6 20:38:15 2009
In-Reply-To: <A61C2036-B276-44FB-8A3F-40EB763B7F0A@tcb.net>
Date: Sun, 6 Dec 2009 17:37:24 -0800
From: Paul Ferguson <fergdawgster@gmail.com>
To: Danny McPherson <danny@tcb.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Dec 6, 2009 at 5:30 PM, Danny McPherson <danny@tcb.net> wrote:
>
> I think one of the things that concerns me most with Google
> validating and jumping on the DNS "open resolver" bandwagon
> is that it'll force more folks (ISPs, enterprises and end
> users alike) to leave DNS resolver IP access wide open.
> Malware already commonly changes DNS resolver settings to
> rogue resolvers, and removes otherwise resident malcode from
> the end system to avoid detection by AV and the like.
>
> One of the primary recommendations I give to enterprises is to
> force use of internal resolvers, and log all other attempted
> DNS resolution queries elsewhere, it's a quick way to detect
> some compromised systems. [...]
Indeed -- as this is exactly what we have seen, as discussed in the good
white paper by Antoine Schonewille and Dirk-Jan van Helmond in 2006 (I've
used this paper as a a reference many times), "The Domain Name Service as
an IDS: How DNS can be used for detecting and monitoring badware in a
network":
http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFLHFxJq1pz9mNUZTMRAti9AKDYQalIoQ5aHDjsRzU9bz6ulxVLUwCePYbW
v3KSVdE37Uyz/GXhC0dhaA0=
=K0HW
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
