[Chugalug] Signing DNS Queries

David White dwrudy at gmail.com
Wed Sep 4 14:35:31 UTC 2013


.... or, is what I just described exactly what DNSSEC is (for you DNSSEC
geeks out there - this is still 1 aspect of DNS I still don't fully
understand)


On Wed, Sep 4, 2013 at 10:21 AM, David White <dwrudy at gmail.com> wrote:

> Many of you guys know that DNS is something I'm interested in and continue
> to do a lot of research and work in. I'm nowhere near an expert, but find
> this aspect of the interwebs fascinating, and have done what I can to
> understand it better and advocate for best DNS practices.
>
> I'm doing some brainstorming right now, and think I've come up with a
> theory that could possibly work in practice, but is probably a dumb idea.
> What do ya'll think? Is this a stupid idea? (In theory, I think its good,
> but in practice, I do think its dumb).
>
> Here's a recent article on DNS Amplification attacks and how millions of
> home routers around the world are being used for the attacks:
> http://www.circleid.com/posts/20130903_dns_amplification_attacks_out_of_sight_out_of_mind_part_2/
>
> My theory is to create some sort of signing system for devices querying
> DNS resolvers that would authenticate the device making the query.
>
> Sort of like DKIM for email, each router would generate a unique public /
> private key pair (different from the MAC address) that would then tie into
> the router's owner's domain system.
>
> The public key for the router would go into public DNS, and the private
> key would be stored on the router. If the keys don't match, then the
> resolver doesn't respond / denies the request.
>
> I see a few major disadvantages to a system like this, including:
>
>    - Added bandwidth to the DNS system
>    - No incentive for home users (or anyone, for that matter) to
>    implement the system on their routers
>    - Low incentive for system administrators who operate resolvers to
>    implement it onto their servers
>    - Too much data to track in the DNS system (millions of DNS records -
>    1 for each router - would be absurd.... unless each router were given a
>    unique subdomain name that the ISP tracked and updated automatically)
>
> I see this system giving the most benefit to home ISP providers.
>
> --
> David White
> Founder & CEO
> *
> *
> *Develop CENTS *
> Computing, Equipping, Networking, Training & Supporting
> Nonprofit Organizations Worldwide
> http://developcents.com
> 423-693-4234
>



-- 
David White
Founder & CEO
*
*
*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130904/a0d364c1/attachment.html>


More information about the Chugalug mailing list