[78966] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Joe Maimon)
Sun Mar 27 11:36:50 2005
Date: Sun, 27 Mar 2005 11:36:26 -0500
From: Joe Maimon <jmaimon@ttec.com>
To: nanog@merit.edu
In-Reply-To: <bb0e440a050327032972023978@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
Suresh Ramasubramanian wrote:
> On Sat, 26 Mar 2005 17:52:56 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
>
<snip>
>
> Thank $DEITY for large ISPs running open resolvers on fat pipes ..
> those do come in quite handy in a resolv.conf sometimes, when I run
> into this sort of behavior.
>
> --srs
>
>
Slightly OT to parent thread...on the subject of open dns resolvers.
Common best practices seem to suggest that doing so is a bad thing. DNS
documentation and http://www.dnsreport.com appear to view this negatively.
Is that the consensus among operators here? Does anyone feel that in
spite of the {negligble} risk involved, since any abuse would be local
in nature (as opposed to SMTP open relay) one should be good neighborly
in this way? Or perhaps the prospect of yet another list of
$IP_BLOCKS_THAT_ARE_OUR_NETWORK make this a low priority on the TODO
list of DNS operators?
Yes, if your resolvers are open to the world, cache poisoning becomes a
lot easier and better targetted -- but then, if your resolvers are
vulnerable to that, you would get bit by it sooner or later anyways.
Joe
