-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Dec 6, 2009 at 5:30 PM, Danny McPherson <danny@tcb.net> wrote:
I think one of the things that concerns me most with Google validating and jumping on the DNS "open resolver" bandwagon is that it'll force more folks (ISPs, enterprises and end users alike) to leave DNS resolver IP access wide open. Malware already commonly changes DNS resolver settings to rogue resolvers, and removes otherwise resident malcode from the end system to avoid detection by AV and the like.
One of the primary recommendations I give to enterprises is to force use of internal resolvers, and log all other attempted DNS resolution queries elsewhere, it's a quick way to detect some compromised systems. [...]
Indeed -- as this is exactly what we have seen, as discussed in the good white paper by Antoine Schonewille and Dirk-Jan van Helmond in 2006 (I've used this paper as a a reference many times), "The Domain Name Service as an IDS: How DNS can be used for detecting and monitoring badware in a network": http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLHFxJq1pz9mNUZTMRAti9AKDYQalIoQ5aHDjsRzU9bz6ulxVLUwCePYbW v3KSVdE37Uyz/GXhC0dhaA0= =K0HW -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/