[Sysadmins] Eircom DNS

Declan Kelly stdlib at groov.ie
Fri Jul 10 17:04:50 IST 2009


On Thu, Jul 09, 2009 at 10:30:39PM +0100, colm at allcosts.net wrote:
> 
> > Any *good* professional admin will make it his or her business to find
> > out what you're talking about, and estimate how much work is involved in
> > diagnosing and/or fixing the problems.
> 
> That reminds me of the turing halting problem. It's pretty hard to
> estimate how much time will be involved in diagnosing a problem
> without also actually diagnosing that problem.

Good point :-)


> > Having every end-user home and office computer running their own DNS
> > resolver is not going to make it less likely that someone can do bad
> > things - attacks on authoritative nameservers are more effective than
> > going after the resolvers of any large consumer ISP, for example.
> 
> I don't agree with that, and you haven't given any evidence of it.

You're right, I haven't.

> general, caches are vulnerable to a far greater range of attacks than
> authoritive name servers. In general, authoritative name servers are
> more carefully maintained. So I don't see why it should be true.

I was trying to make the point that while it might be trivial to poison
caches and maybe target a few mass consumer ISPs, if a cracker wanted to
MITM a bank or e-commerce site, going after the authoritive name servers
would be more effective. Not necessarily easier.

-- 
-Dec.				Consultant Sysadmin, Dublin.
---
"I am very new to programming drivers so if I sound un-knowledgeable
 then it's because I am." - Ceri Coburn, First4Internet, 2003-03-28



More information about the Sysadmins mailing list