Hello Anton, > This is feasible only for corporate networks where the allocations > are constant and change once in a few years. > > It is not feasible in any ISP/Telco above a certain size. In fact, > considering the consolidation over the recent years it is not feasible > for most ISPs or Telcos. > > In an ISP you will have to provision and reprovision the > nameserver ACLs on a daily basis to match your current customer > allocations and reload it like there is no tomorrow. One mistake in > provisioning and you will have a large chunk of customers shouting > down the support line why their internet does not work. It becomes > even more entertaining if you use RFC3258 or clustering to load > balance DNS traffic. In that case you often end up with a lottery > where one server replies, other servers deny or vice versa. Debugging > that is even more entertaining. Frankly, expecting any large ISP to > deploy anything like this is not realistic. Are you sure this difficulty is due to the real problem at hand, or due to poorly designed/implemented software to manage DNS? Leaving a single ISP's recursive resolution open to the world is a minor disservice to the Internet community, but a *major* disservice to it's own customers. Cache poisoning really isn't that hard when you can dictate which records you want to poison and when you want to do it, from the outside. Especially with certain softwares' lack of source port randomization. An attacker can just wait until the next time a remotely exploitable IE hole comes out and then poison the records of a popular website, and *bam* your users are 0wned. > Using QoS to limit queries coming from the outside world can be > done in a manner where it does not require any extra provisioning and > modification to the nameserver config. On top of that, for most well > designed large ISP/Telco DNS server deployments this is just a simple > config change. Once it has been rolled out it maintains itself. After > all, if your customers have no network access having or not having DNS > is largely irrelevant. Um... I guess I'm missing something. If it isn't difficult to limit _recursive_ query rates from the outside world, how would it be difficult to disallow them? This seems like an artifical limitation of the DNS software in use. With that said, I've never ran a very large DNS infrastructure, but I do know there's a lot of terrible DNS software out there... cheers, tim
Attachment:
signature.asc
Description: Digital signature