[Chugalug] Signing DNS Queries
dave at brockmans.com
Wed Sep 4 18:08:27 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 9/4/2013 11:28 AM, David White wrote:
> Oh, I agree completely - open resolvers are a bad idea to begin
> with. But so many of them are out there (misconfigured), and major
> ISPs have them for their customers, that they aren't going away.
Open resolvers were not a bad idea to begin with. They were essential
to the functioning of the Internet once it outgrew the InterNIC
"hosts" file. Open SMTP relay also played a crucial part in growing
the Internet. We geeks are effing awesome at developing technical
solutions to overcome technical problems. We are not very good at
anticipating just how *evil* people are.
A very large percentage of what you are referencing is uber-cheap CPE
router/modem that enables a DNS resolver on the WAN interface!
ISPs should *ONLY* allow their network(s) to recursively query their
name servers. That is not the definition of an open resolver.
There is already movement to identify and close open resolvers.
Quite a bit of traction has already been made, but we have a long,
long way to go.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Chugalug