nanog mailing list archives
Re: DNS cache poisoning attacks -- are they real?
From: Joe Maimon <jmaimon () ttec com>
Date: Sun, 27 Mar 2005 11:36:26 -0500
Suresh Ramasubramanian wrote:
On Sat, 26 Mar 2005 17:52:56 -0500 (EST), Sean Donelan <sean () donelan com> wrote:
<snip>
Thank $DEITY for large ISPs running open resolvers on fat pipes .. those do come in quite handy in a resolv.conf sometimes, when I run into this sort of behavior. --srs
Slightly OT to parent thread...on the subject of open dns resolvers.Common best practices seem to suggest that doing so is a bad thing. DNS documentation and http://www.dnsreport.com appear to view this negatively.
Is that the consensus among operators here? Does anyone feel that in spite of the {negligble} risk involved, since any abuse would be local in nature (as opposed to SMTP open relay) one should be good neighborly in this way? Or perhaps the prospect of yet another list of $IP_BLOCKS_THAT_ARE_OUR_NETWORK make this a low priority on the TODO list of DNS operators?
Yes, if your resolvers are open to the world, cache poisoning becomes a lot easier and better targetted -- but then, if your resolvers are vulnerable to that, you would get bit by it sooner or later anyways.
Joe
Current thread:
- Re: DNS cache poisoning attacks -- are they real?, (continued)
- Re: DNS cache poisoning attacks -- are they real? Sean Donelan (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Jeff Kell (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Joe Abley (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Sean Donelan (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Joe Abley (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Niels Bakker (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Edward Lewis (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? Christopher L. Morrow (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Christopher L. Morrow (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? Simon Waters (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)