CVE-2012-1033 (Ghost domain names) mitigation

[michoski]

On 2/9/12 9:43 AM, "Lyle Giese" <lyle at lcrcomputer.net> wrote:
> This is just my opinion, but this is not a bug.  It's the side effect of
> a desirable feature called caching.
> 
> Yea, we can brainstorm how to mitigate the effect, but in order to
> mitigate a problem, we have to know that there is a problem(revoked or
> bad domain).
> 
> 1) How would we(as dns server operators) know when a domain name is
> revoked? (Gee sounds like what the US government wants to do and it
> seems the community does not like that idea and I agree it's a bad idea
> to put the US DHS in charge of that list.)

+1 on less government (note: that doesn't mean lack of regulation, but it
should be community driven IMCO).

It really seems we need a "revoked domains" feed that could be used with RPZ
to implement the desired local policy (or not, choice rocks).  Obviously
this would need to be hosted somewhere like other DNSBLs, but would also
need a well defined mechanism (simple web services API?)  for registrars to
submit data...and then, of course, there's the issue of participation.

That said, this isn't a threat to the DNS servers themselves...  the main
concern is that someone could maintain a revoked domain and possibly
redirect folks there.  Controlling access to "bad" domains, revoked or not,
may be better accomplished by having local protection (think web proxy/AV
scanning with 0-day signatures) that reduces the impact "rogue" domains
could have on your organization.

-- 
Work is the curse of the drinking classes.
        -- Mike Romanoff