nanog mailing list archives
Re: What DNS Is Not
From: Andrew Cox <andrew () accessplus com au>
Date: Tue, 10 Nov 2009 14:45:19 +1030
Shouldn't such apps be checking the content they receive back from a server anyway? Regardless of if they think they're getting to the right server (due to a bogus non-NXDOMAIN response) there should be some sort of validation in place.. otherwise you're open in any sort of man-in-the-middle attack.
I think the issue is more that older apps would expect that if they can get a response then everything is ok.. perhaps this simply an outdated method and needs to be rethought.
Valdis.Kletnieks () vt edu wrote:
On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said:For instance, returning the IP address of your company's port-80 web server instead of NXDOMAIN not only breaks non-port-80-http applicationsRemember this...There is one special case for which I don't mind having DNS servers lie about query results, which is the phishing/malware protection service. In that case, the DNS response is redirecting you to the IP address of a server that'll tell you "You really didn't want to visit PayPa11.com - it's a fake" or "You really didn't want to visit dgfdsgsdfgdfgsdfgsfd.example.ru - it's malware". It's technically broken, but you really _didn't_ want to go there anyway. It's a bit friendlier to administrators and security people if the response page gives you theReturning bogus non-NXODMAIN gives non-port-80-http apps heartburn as well.
Current thread:
- Re: What DNS Is Not, (continued)
- Re: What DNS Is Not David Conrad (Nov 08)
- Re: What DNS Is Not Paul Ferguson (Nov 08)
- Re: What DNS Is Not Scott Howard (Nov 08)
- Re: What DNS Is Not Paul Wall (Nov 08)
- Re: What DNS Is Not Joe Greco (Nov 08)
- Re: What DNS Is Not Simon Lyall (Nov 08)
- Re: What DNS Is Not Joe Abley (Nov 08)
- Re: What DNS Is Not Paul Vixie (Nov 09)
- Re: What DNS Is Not Bill Stewart (Nov 09)
- Re: What DNS Is Not Valdis . Kletnieks (Nov 09)
- Re: What DNS Is Not Andrew Cox (Nov 09)
- Re: What DNS Is Not Jack Bates (Nov 09)
- Re: What DNS Is Not Alex Balashov (Nov 09)
- Re: What DNS Is Not David Ulevitch (Nov 09)
- Re: What DNS Is Not Andrew Cox (Nov 09)
- Re: What DNS Is Not John Peach (Nov 10)
- Re: What DNS Is Not sthaug (Nov 10)
- Re: What DNS Is Not Florian Weimer (Nov 11)
- RE: What DNS Is Not Jason Granat (Nov 11)
- Re: What DNS Is Not Patrick W. Gilmore (Nov 11)
- Re: What DNS Is Not sthaug (Nov 11)