DNS proxy
/dev/rob0
rob0 at gmx.co.uk
Wed Oct 5 18:46:12 UTC 2005
On Wednesday 2005-October-05 07:41, Ray Wallace wrote:
> original query. What will be the impact if the DoD was to inject a
> DNS proxy server between the local servers and the root-level
> servers? This would help obfuscate some of the queries that traverse
> the public Internet helping to improve our OPSEC. It would also allow
> us to add domains to this "proxy" server that route to 127.0.0.1.
> Null routing domains that are known to proliferate spam, spyware,
> other malware, or are just deemed "undesirable" would help prevent
> the spread of spyware and other maladies and increase in available
Hi Ray, and welcome to the list. Dot-mil DNS problems have been
discussed here before. At the time I said that you guys were trying
something funny. IIRC it was navy.mil, and queries worked for most of
us, but a poster in Bosnia (195.222.32.0/21) was not getting through.
This thread was in June, "Subject: problem with resolving SOME EXTERNAL
domains", if you care to look into it.
Your question here lends credence to my theory.
> bandwidth for mission related traffic. Would this work? What are you
> expert opinions on the pros/cons of doing something like this?
I don't think I'm an expert, although I do have some hands-on practice
in the wars against spam and spyware (same war, really.)
What I have done at my largest site is to claim authority for a small
group of known bad domains. It works beautifully, to some extent, but
it definitely does not end the war. Spammers are registering domains by
the thousands while I block 2-3. I can only react after the fact. We do
block direct outbound SMTP, and impose rate limiting on clients
connecting to our mail submission service.
I'm no fan of security through obscurity, although I am well aware in
this climate of technical incompetence there are few attackers capable
of or willing to do the work to overcome a bit of obscurity. That's a
value judgment.
You can't make a silk purse out of a sow's ear. You can't make a MS
Windows desktop secure. There's only one answer, and that is to get
away from fundamentally insecure platforms. But of course a gov't
entity is controlled by politicians who are in turn controlled by the
highest bidder, and we can bet in the computing field that bidder is
Microsoft.
A technically-savvy user of Windows (there are some, I hear! :) ) can
avoid most if not all ratware simply by not doing stupid things. It's
primarily a social engineering issue. But (if you'll pardon yet another
colloquialism) the DoD can lead their horses to water, but they cannot
make them think ... no matter how many seminars you make them sleep
through.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the bind-users
mailing list