DNS proxy

/dev/rob0 rob0 at gmx.co.uk
Wed Oct 5 18:46:12 UTC 2005 

On Wednesday 2005-October-05 07:41, Ray Wallace wrote:
> original query. What will be the impact if the DoD was to inject a
> DNS proxy server between the local servers and the root-level
> servers? This would help obfuscate some of the queries that traverse
> the public Internet helping to improve our OPSEC. It would also allow
> us to add domains to this "proxy" server that route to 127.0.0.1.
> Null routing domains that are known to proliferate spam, spyware,
> other malware, or are just deemed "undesirable" would help prevent
> the spread of spyware and other maladies and increase in available

Hi Ray, and welcome to the list. Dot-mil DNS problems have been 
discussed here before. At the time I said that you guys were trying 
something funny. IIRC it was navy.mil, and queries worked for most of 
us, but a poster in Bosnia (195.222.32.0/21) was not getting through. 
This thread was in June, "Subject: problem with resolving SOME EXTERNAL 
domains", if you care to look into it.

Your question here lends credence to my theory.

> bandwidth for mission related traffic. Would this work? What are you
> expert opinions on the pros/cons of doing something like this?

I don't think I'm an expert, although I do have some hands-on practice 
in the wars against spam and spyware (same war, really.)

What I have done at my largest site is to claim authority for a small 
group of known bad domains. It works beautifully, to some extent, but 
it definitely does not end the war. Spammers are registering domains by 
the thousands while I block 2-3. I can only react after the fact. We do 
block direct outbound SMTP, and impose rate limiting on clients 
connecting to our mail submission service.

I'm no fan of security through obscurity, although I am well aware in 
this climate of technical incompetence there are few attackers capable 
of or willing to do the work to overcome a bit of obscurity. That's a 
value judgment.

You can't make a silk purse out of a sow's ear. You can't make a MS 
Windows desktop secure. There's only one answer, and that is to get 
away from fundamentally insecure platforms. But of course a gov't 
entity is controlled by politicians who are in turn controlled by the 
highest bidder, and we can bet in the computing field that bidder is 
Microsoft.

A technically-savvy user of Windows (there are some, I hear! :) ) can 
avoid most if not all ratware simply by not doing stupid things. It's 
primarily a social engineering issue. But (if you'll pardon yet another 
colloquialism) the DoD can lead their horses to water, but they cannot 
make them think ... no matter how many seminars you make them sleep 
through.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

More information about the bind-users mailing list