Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: John Payne
  • Date: Mon Mar 28 01:05:24 2005


On Mar 27, 2005, at 1:25 PM, Christopher L. Morrow wrote:

Larger providers have the problem that you can't easily filter
'customers' from 'non-customers' in a sane and scalable fashion.
Hrm? Larger providers tend to have old swamp space lying around :)

Throw the resolvers on a netblock that's not routed out to your border routers (transit, peering), only the customer facing ones... with a secondary address that is routed. Secondary address doesn't listen for queries, only answers.

And to Randy's point about problems with open recursive nameservers... abusers have been known to cache "hijack". Register a domain, configure an authority with very large TTLs, seed it onto known open recursive nameservers, update domain record to point to the open recursive servers rather than their own. Wammo, "bullet proof" dns hosting.

(Yeah, it'd be nice if people didn't listen to non-AA answers to their queries, but they do).





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.