[79048] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Chris Brenton)
Tue Mar 29 10:39:38 2005
From: Chris Brenton <cbrenton@chrisbrenton.org>
To: nanog <nanog@merit.edu>
In-Reply-To: <1112092669.15380.TMDA@mercury.zynet.net>
Date: Tue, 29 Mar 2005 10:38:26 -0500
Errors-To: owner-nanog@merit.edu
On Tue, 2005-03-29 at 05:37, Simon Waters wrote:
>
> The answers from a recursive servers won't be marked authoritative (AA bit not
> set), and so correct behaviour is to discard (BIND will log a lame server
> message as well by default) these records.
>
> If your recursive resolver doesn't discard these records, suggest you get one
> that works ;)
In a perfect world, this might be a viable solution. The problem is
there are far too many legitimate but "broken" name servers out there.
On an average day I log well over 100 lame servers. If I broke this
functionality, my helpdesk would get flooded pretty quickly with angry
users.
HTH,
Chris
