nanog mailing list archives
Re: Great Suggestion for the DNS problem...?
From: Brian Dickson <briand () ca afilias info>
Date: Tue, 29 Jul 2008 04:00:57 +0100
What would the ip-blocking BGP feed accomplish? Spoofed source addresses are a staple of the DNS cache poisoning attack. Worst case scenario, you've opened yourself up to a new avenue of attack where you're nameservers are receiving spoofed packets intended to trigger a blackhole filter, blocking communication between your network and the legitimate owner of the forged ip address.
Yes, but what about blocking the addresses of recursive resolvers that are not yet patched?
That would certainly stop them from being poisoned, and incent their owners to patch...
1/2 :-) Brian
Michael Smith wrote:Still off topic, but perhaps a BGP feed from Cymru or similar to block IPaddresses on the list? Regards, Mike
Current thread:
- Re: Great Suggestion for the DNS problem...?, (continued)
- Re: Great Suggestion for the DNS problem...? Mohacsi Janos (Jul 29)
- Re: Great Suggestion for the DNS problem...? Mikael Abrahamsson (Jul 29)
- Re: Great Suggestion for the DNS problem...? Laird Popkin (Jul 29)
- Re: Great Suggestion for the DNS problem...? Tony Finch (Jul 29)
- Re: Great Suggestion for the DNS problem...? Joe Greco (Jul 28)
- Re: Great Suggestion for the DNS problem...? Paul Vixie (Jul 28)
- Re: Great Suggestion for the DNS problem...? Michael Smith (Jul 28)
- Re: Great Suggestion for the DNS problem...? Matt F (Jul 28)
- Re: Great Suggestion for the DNS problem...? Randy Bush (Jul 29)
- Re: Great Suggestion for the DNS problem...? Florian Weimer (Jul 29)
- Re: Great Suggestion for the DNS problem...? Michael Smith (Jul 28)
- Re: Great Suggestion for the DNS problem...? Brian Dickson (Jul 28)