From: Chris Woodfield (no email)
Date: Thu Jul 13 2006 - 09:35:39 EDT
Going off on something of a tangent, I'd be really curious what sort
of efforts OpenDNS are making/will need to make in order to limit
their servers' utility as a relay for amplification attacks (which
I'm listening to a discussion on at IETF as I type).
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-
evil-01.txt
On Jul 13, 2006, at 8:08 AM, Patrick W. Gilmore wrote:
>
> On Jul 13, 2006, at 3:39 AM, Simon Waters wrote:
>
>> Most of those I know try to deploy recursive services as close as
>> possible to
>> the client, avoiding where possible alternative views of the DNS, and
>> forwarding.
>
> Would that everyone did what the people you know do.
>
> Unfortunately, there are a few providers doing things like
> outsourcing their recursive service to, say, their upstream, or
> having one "node" of recursive servers anywhere in the world for
> all their end users. These providers violate the first part of
> your sentence.
>
> The second part doesn't make any sense to me. It seems that having
> multiple, geographically disparate recursive name servers would be
> more likely to present an "alternative [view] of the DNS". (In
> fact, I can prove that's true in at least some cases. :) So you
> are actually arguing -against- your first point.
>
> That said, no one has yet said why it is necessary, or even
> desirable, to have a completely homogenous view of the world.
>
>
>> Perhaps time to ask Brad, Paul and Cricket what they think, and
>> have answers
>> to their comments.
>
> Perhaps. However, in the last DNS related thread, Paul made a
> pretty strong claim (violating a protocol) and showed exactly
> _ZERO_ facts to back it up, despite being asked at least five times
> (by my count).
>
>
>> With automated responses to "bad things", it is usually best to
>> minimise the
>> scope of the change. Similarly typo correction makes sense for
>> URLs, but not
>> for most other uses of the DNS (hence the proviso you make to
>> switch it off
>> if you use RBL, although I'd say switch it off for all email
>> servers less you
>> start correcting spambot crud, our email servers make a DNS check
>> on the
>> senders domain, that doesn't want correcting either), so the
>> answer is
>> probably browser plug-in (although most browsers already try to
>> guess what
>> you meant to some extent).
>
> Perhaps something as simple as a preference only 'correcting'
> queries that begin with "www"?
>
> --
> TTFN,
> patrick
>
|
|
|