Re: On-going Internet Emergency and Domain Names

[Gadi Evron <ge () linuxbox org>]

On Sun, 1 Apr 2007, Chris L. Morrow wrote:
> On Sun, 1 Apr 2007, Paul Vixie wrote:
> > But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features
> > like this.  Or if they do come, I'd like them to come as a result of consensus
> > driven protocol engineering (like inside the IETF) and take longer than "this
> > week" to be defined.  I hope this clarifies the incompatibility between me
> > helping dave build ICSS (an edge solution) and me saying that whiting out
> > malware domain names as a way to stop malware isn't a real (core) solution.
>
> Right, ICSS should be used (in your example) as close to the 'edge' as
> possible... or that's the intent of it, right? Let enterprise folks use
> these things, they have attentive helpdesk/admin folks to unscrew what the
> changes in basic plumbing have screwed up :)

I agree with everything else you said, and being the guy who made up the
term I believe in using DNS for detecting botnets in enterprise networks,
etc.

But building a wall to protect your port from attacks by pirates will not
make the pirates go away, and unfortunately, we can't convince everybody
to build walls and our security is nwoadays dependent on others'.

        Gadi.