On Sun, 1 Apr 2007, Chris L. Morrow wrote:
On Sun, 1 Apr 2007, Paul Vixie wrote:
But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than "this week" to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution.
Right, ICSS should be used (in your example) as close to the 'edge' as possible... or that's the intent of it, right? Let enterprise folks use these things, they have attentive helpdesk/admin folks to unscrew what the changes in basic plumbing have screwed up :)
I agree with everything else you said, and being the guy who made up the term I believe in using DNS for detecting botnets in enterprise networks, etc. But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'. Gadi.