[Sysadmins] Eircom DNS

Paul Jakma paul at jakma.org
Fri Jul 10 09:32:31 IST 2009


On Thu, 9 Jul 2009, Declan Kelly wrote:

> Having every end-user home and office computer running their own 
> DNS resolver is not going to make it less likely that someone can 
> do bad things - attacks on authoritative nameservers are more 
> effective than going after the resolvers of any large consumer ISP, 
> for example.

This isn't true, AFAIK.

I've not heard of easy DNS-protocol attacks against authorative 
servers. There are fairly trivial attacks that let you inject very 
compromising records into caching, recursive servers - though, they 
take more time/bandwidth with recent servers (previously it was 
seconds, now it takes a day or two, I gather).

I.e. ISP-scale caching nameservers are just a really bad idea in this 
day and age.

Also, I gather they'll remain a bad idea even with DNSSec as they 
complicate verification of the chain of trust. Indeed, they defeat 
that verification if TSIG is not used between client and the 
recursive NS (fat chance of ISPs managing to get clients to configure 
that!).

Please let's start deprecating shared, caching nameservers.

ObOperations:: the BIND "additional-from-cache no;" directive is a 
very good thing to set on intended authorative-only servers (for 
security, also for packet sizes).

regards,
-- 
Paul Jakma	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
The biggest problem with communication is the illusion that it has occurred.



More information about the Sysadmins mailing list