Re: On-going Internet Emergency and Domain Names

[Gadi Evron <ge () linuxbox org>]

On 31 Mar 2007, Paul Vixie wrote:
> whoa.  this is like deja vu all over again.  when barb@CERT asked me to
> patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host
> names in order to protect sendmail from a /var/spool/mqueue/qf* formatting
> vulnerability, i was fresh off the boat and did as i was asked.  a dozen
> years later i find that that bug in sendmail is long gone, but the pain
> from BIND's "check-names" logic is still with us.  i did the wrong thing
> and i should have said "just fix sendmail, i don't care how much easier
> it would be to patch libc, that's just wrong."
>
> are we really going to stop malware by blackholing its domain names?  if
> so then i've got some phone calls to make.

> are we really going to stop malware by blackholing its domain names?  if
> so then i've got some phone calls to make.

I don't know about bind, obviously your knowledge over-shadows
mine.
Changing bind for sendmail was likely silly but it showed some agaility we
seem to not have today.
If it could have been a temporary dynamic solution (rather than a
package change), it's an interesting concept.

Back to reality and 2007:
In this case, we speak of a problem with DNS, not sendmail, and not bind.

As to blacklisting, it's not my favorite solution but rather a limited
alternative I also saw you mention on occasion. What alternatives do
you offer which we can use today?

        Gadi.

> -- 
> Paul Vixie