[Chugalug] Signing DNS Queries

David White dwrudy at gmail.com
Wed Sep 4 18:43:17 UTC 2013


True, most, if not all reputable ISPs are already configured to deny DNS
requests from IP addresses that are outside their network. The problem is
that many times, DNS amplification attacks are using spoofed IP addresses.

So the attacker spoofs an IP address, the request hits the resolver, the
resolver responds back to the *real* IP address (home router), and that
home router then sends another response out.

So my idea is, essentially, to add another layer to the "restrict resolvers
to their network only" requirement and add a 2nd degree of verification -
i.e. ensuring that the client making the request to the resolver is who he
says he is.


On Wed, Sep 4, 2013 at 2:08 PM, Dave Brockman <dave at brockmans.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 9/4/2013 11:28 AM, David White wrote:
> > Oh, I agree completely - open resolvers are a bad idea to begin
> > with. But so many of them are out there (misconfigured), and major
> > ISPs have them for their customers, that they aren't going away.
>
> Open resolvers were not a bad idea to begin with.  They were essential
> to the functioning of the Internet once it outgrew the InterNIC
> "hosts" file.  Open SMTP relay also played a crucial part in growing
> the Internet.  We geeks are effing awesome at developing technical
> solutions to overcome technical problems.  We are not very good at
> anticipating just how *evil* people are.
>
> A very large percentage of what you are referencing is uber-cheap CPE
> router/modem that enables a DNS resolver on the WAN interface!
>
> ISPs should *ONLY* allow their network(s) to recursively query their
> name servers.  That is not the definition of an open resolver.
>
> There is already movement[1] to identify and close open resolvers.
> Quite a bit of traction has already been made, but we have a long,
> long way to go.
>
> Regards,
>
> dtb
>
> 1. http://openresolverproject.org/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSJ3caAAoJEMP+wtEOVbcdOTAIAJotPDt+2uqwAS9dz6EG5de5
> 2SbBurGeygyCZakOBokecqoZ/sHqyXKBWUxhTjF6jk2fd4yPulaqkUcNNKEiRaIw
> LL0CnATesmPPLqG1nyghlJYRA2axdkpUbIM4W8AxHpZX0YUC8ndgI/4PHdtXOpqm
> SDLTqnjwlEviZ7/wNSGHm6tvPlje54SObUjDMRSDuLdU4DpjZ+127bWbm5OvAEOE
> 0PwxHr7ry7Y3dIzKklPPL0B3fDwK9iXnJPgn+X1XDelsGlRPh4lBoe6I5QmrD+Uj
> INkCVrwOWBHW3a2EEUKxEEPd1OkMzZfehK8hO9Wg8xvhOEgFPPvXv12m52qVYOg=
> =QjtP
> -----END PGP SIGNATURE-----
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>



-- 
David White
Founder & CEO
*
*
*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130904/43b4f35b/attachment.html>


More information about the Chugalug mailing list