Re: What DNS Is Not

[Andrew Cox <andrew () accessplus com au>]

Shouldn't such apps be checking the content they receive back from a 
server anyway?
Regardless of if they think they're getting to the right server (due to 
a bogus non-NXDOMAIN response) there should be some sort of validation 
in place.. otherwise you're open in any sort of man-in-the-middle attack.

I think the issue is more that older apps would expect that if they can 
get a response then everything is ok.. perhaps this simply an outdated 
method and needs to be rethought.

Valdis.Kletnieks () vt edu wrote:
> On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said:
>
>   
> > For instance, returning the IP address of your company's port-80 web
> > server instead of NXDOMAIN
> > not only breaks non-port-80-http applications
> >     
>
> Remember this...
>
>   
> > There is one special case for which I don't mind having DNS servers
> > lie about query results,
> > which is the phishing/malware protection service.  In that case, the
> > DNS response is redirecting you to
> > the IP address of a server that'll tell you
> >        "You really didn't want to visit PayPa11.com - it's a fake" or
> >        "You really didn't want to visit
> > dgfdsgsdfgdfgsdfgsfd.example.ru - it's malware".
> > It's technically broken, but you really _didn't_ want to go there anyway.
> > It's a bit friendlier to administrators and security people if the
> > response page gives you the
> >     
>
> Returning bogus non-NXODMAIN gives non-port-80-http apps heartburn as well.
>
>