Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Joe Maimon
  • Date: Sun Mar 27 16:44:03 2005



bmanning@vacation.karoshi.com wrote:
On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:

<snip>
	er... common best practice for YOU... perhaps.
	dnsreport.com is apparently someone who agrees w/ you.
	and i know why some COMMERCIAL operators want to squeeze
	every last lira from the services they offer...
	but IMRs w/ unrestricted access are a good a valuable tool
	for the Internet community at large.

	IMR? - you know, an Interative Mode Resolver aka caching server.


Joe

--bill


Thanks for the feedback, bill and all else who have responded.

Just want to clarify -- Thats NOT my position, any resolvers (not like thats a great many big important ones like others here can attest to) I have run were not purposefully closed off from anyone (who was not being abusive).

Security is critical, but I am from the school that advocates leaving open that which

* may be usefull to others

* does not cost me {much} - cost is in terms of {money | cpu | ram | bw | mgmt | what have you}

* takes extra effort to close off

* Has no recent history of badness (insert your definition for "recent")

* Is easily verifiable (you should know real quick if your DNS cache is poisoned)

* avoids issues on how to make things work now that you have screwed it all up by denying resolving to all [insert all corner cases here] (simply as an example)

Easy to make a road, hard to make a prison.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.