Re: news from Google

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Dec 6, 2009 at 5:30 PM, Danny McPherson <danny () tcb net> wrote:

> I think one of the things that concerns me most with Google
> validating and jumping on the DNS "open resolver" bandwagon
> is that it'll force more folks (ISPs, enterprises and end
> users alike) to leave DNS resolver IP access wide open.
> Malware already commonly changes DNS resolver settings to
> rogue resolvers, and removes otherwise resident malcode from
> the end system to avoid detection by AV and the like.
>
> One of the primary recommendations I give to enterprises is to
> force use of internal resolvers, and log all other attempted
> DNS resolution queries elsewhere, it's a quick way to detect
> some compromised systems.  [...]

Indeed -- as this is exactly what we have seen, as discussed in the good
white paper by Antoine Schonewille and Dirk-Jan van Helmond in 2006 (I've
used this paper as a a reference many times), "The Domain Name Service as
an IDS: How DNS can be used for detecting and monitoring badware in a
network":

http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLHFxJq1pz9mNUZTMRAti9AKDYQalIoQ5aHDjsRzU9bz6ulxVLUwCePYbW
v3KSVdE37Uyz/GXhC0dhaA0=
=K0HW
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/