North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: DNS cache poisoning attacks -- are they real?
- From: Joe Maimon
- Date: Sun Mar 27 16:44:03 2005
bmanning@vacation.karoshi.com wrote:
On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:
<snip>
er... common best practice for YOU... perhaps.
dnsreport.com is apparently someone who agrees w/ you.
and i know why some COMMERCIAL operators want to squeeze
every last lira from the services they offer...
but IMRs w/ unrestricted access are a good a valuable tool
for the Internet community at large.
IMR? - you know, an Interative Mode Resolver aka caching server.
Joe
--bill
Thanks for the feedback, bill and all else who have responded.
Just want to clarify -- Thats NOT my position, any resolvers (not like
thats a great many big important ones like others here can attest to) I
have run were not purposefully closed off from anyone (who was not being
abusive).
Security is critical, but I am from the school that advocates leaving
open that which
* may be usefull to others
* does not cost me {much} - cost is in terms of {money | cpu | ram | bw
| mgmt | what have you}
* takes extra effort to close off
* Has no recent history of badness (insert your definition for "recent")
* Is easily verifiable (you should know real quick if your DNS cache is
poisoned)
* avoids issues on how to make things work now that you have screwed it
all up by denying resolving to all [insert all corner cases here]
(simply as an example)
Easy to make a road, hard to make a prison.
|
