[Sysadmins] Eircom DNS
paul at jakma.org
Fri Jul 10 09:32:31 IST 2009
On Thu, 9 Jul 2009, Declan Kelly wrote:
> Having every end-user home and office computer running their own
> DNS resolver is not going to make it less likely that someone can
> do bad things - attacks on authoritative nameservers are more
> effective than going after the resolvers of any large consumer ISP,
> for example.
This isn't true, AFAIK.
I've not heard of easy DNS-protocol attacks against authorative
servers. There are fairly trivial attacks that let you inject very
compromising records into caching, recursive servers - though, they
take more time/bandwidth with recent servers (previously it was
seconds, now it takes a day or two, I gather).
I.e. ISP-scale caching nameservers are just a really bad idea in this
day and age.
Also, I gather they'll remain a bad idea even with DNSSec as they
complicate verification of the chain of trust. Indeed, they defeat
that verification if TSIG is not used between client and the
recursive NS (fat chance of ISPs managing to get clients to configure
Please let's start deprecating shared, caching nameservers.
ObOperations:: the BIND "additional-from-cache no;" directive is a
very good thing to set on intended authorative-only servers (for
security, also for packet sizes).
Paul Jakma paul at jakma.org Key ID: 64A2FF6A
The biggest problem with communication is the illusion that it has occurred.
More information about the Sysadmins