[78978] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Joe Maimon)
Sun Mar 27 16:43:22 2005
Date: Sun, 27 Mar 2005 16:42:55 -0500
From: Joe Maimon <jmaimon@ttec.com>
To: bmanning@vacation.karoshi.com
Cc: nanog@merit.edu
In-Reply-To: <20050327212529.GA32282@vacation.karoshi.com.>
Errors-To: owner-nanog@merit.edu
bmanning@vacation.karoshi.com wrote:
> On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:
>
<snip>
>
> er... common best practice for YOU... perhaps.
> dnsreport.com is apparently someone who agrees w/ you.
> and i know why some COMMERCIAL operators want to squeeze
> every last lira from the services they offer...
> but IMRs w/ unrestricted access are a good a valuable tool
> for the Internet community at large.
>
> IMR? - you know, an Interative Mode Resolver aka caching server.
>
>
>>Joe
>
>
> --bill
>
>
Thanks for the feedback, bill and all else who have responded.
Just want to clarify -- Thats NOT my position, any resolvers (not like
thats a great many big important ones like others here can attest to) I
have run were not purposefully closed off from anyone (who was not being
abusive).
Security is critical, but I am from the school that advocates leaving
open that which
* may be usefull to others
* does not cost me {much} - cost is in terms of {money | cpu | ram | bw
| mgmt | what have you}
* takes extra effort to close off
* Has no recent history of badness (insert your definition for "recent")
* Is easily verifiable (you should know real quick if your DNS cache is
poisoned)
* avoids issues on how to make things work now that you have screwed it
all up by denying resolving to all [insert all corner cases here]
(simply as an example)
Easy to make a road, hard to make a prison.