Adding records to a domain I don't control for anyone who uses my nameserver

[Alan Clegg]

>> Spoofing the dns zones are the only solution. 

> Why not using your own XMPP server, that you control and where you can
> activate logging?

Actually, in a previous lifetime, we discovered that the MOST effective
way to deal with this was to write it into the policy and procedures
manual and make sure that everyone signs a copy of the manual with full
understanding of the rules and why they are in place.

Monitor for a bit (with no blocking in place so that
fallback-to-hidden-protocol doesn't happen), warn the folks that were
"doing it", then, after a month, fire the folks that are caught
continuing to break the policy.

As long as you don't enforce the underlying rules, there will always be
someone breaking the rules, working around the system, and all you are
doing is continuously playing catch-up.

I don't like playing cat-and-mouse.

In the current economy, if someone feels that it is important enough to
"chat" with someone at risk of losing their job, you don't need them,
and they will prove to be a risk in some other way before too long anyway.

If it's the CEO/CIO/CFO that continues to break the rules, you are
working for the wrong company -- which, in this economy leads to an
entire different set of problems.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090303/8540afbc/attachment.bin>