[Chugalug] Signing DNS Queries

Dave Brockman dave at brockmans.com
Wed Sep 4 18:08:27 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/4/2013 11:28 AM, David White wrote:
> Oh, I agree completely - open resolvers are a bad idea to begin
> with. But so many of them are out there (misconfigured), and major
> ISPs have them for their customers, that they aren't going away.

Open resolvers were not a bad idea to begin with.  They were essential
to the functioning of the Internet once it outgrew the InterNIC
"hosts" file.  Open SMTP relay also played a crucial part in growing
the Internet.  We geeks are effing awesome at developing technical
solutions to overcome technical problems.  We are not very good at
anticipating just how *evil* people are.

A very large percentage of what you are referencing is uber-cheap CPE
router/modem that enables a DNS resolver on the WAN interface!

ISPs should *ONLY* allow their network(s) to recursively query their
name servers.  That is not the definition of an open resolver.

There is already movement[1] to identify and close open resolvers.
Quite a bit of traction has already been made, but we have a long,
long way to go.

Regards,

dtb

1. http://openresolverproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSJ3caAAoJEMP+wtEOVbcdOTAIAJotPDt+2uqwAS9dz6EG5de5
2SbBurGeygyCZakOBokecqoZ/sHqyXKBWUxhTjF6jk2fd4yPulaqkUcNNKEiRaIw
LL0CnATesmPPLqG1nyghlJYRA2axdkpUbIM4W8AxHpZX0YUC8ndgI/4PHdtXOpqm
SDLTqnjwlEviZ7/wNSGHm6tvPlje54SObUjDMRSDuLdU4DpjZ+127bWbm5OvAEOE
0PwxHr7ry7Y3dIzKklPPL0B3fDwK9iXnJPgn+X1XDelsGlRPh4lBoe6I5QmrD+Uj
INkCVrwOWBHW3a2EEUKxEEPd1OkMzZfehK8hO9Wg8xvhOEgFPPvXv12m52qVYOg=
=QjtP
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list