Gadi Evron wrote:
People are suggesting it become the rule because nobody is trying
anything else.
I was with you up to this sentence. Obviously avoiding the core is key,
but should we not have the capability of preventing abuse in the core
rather than mitigating it there? Allowing NS changes with no other
verification or limitation is silly imo, but I am unsure if it is
relevant as a solution?
And who is nobody and why doesn't he try something else? That is a bit
insulting to nobody. :)
Putting that aside, what do you think nobody should try at
the edge?
People should try putting the intelligence that we have into software
and hardware. Why can't we put Gadi into an edge device?
I say this tongue-in-cheek, but am a bit serious. You (Gadi) are very
good at looking at interesting trends and more than saying it's a
problem, you are able to come up with a report like the botnet rat-out
reports. We know who the C&C's are. We know who the compromised drones
are. We know all of this. Today.
But very few people (okay, not nobody) are saying, "Hey, why should I
allow that compromised windows box that has never sent me an MX request
before all of the sudden be able to request 10,000 MX records across my
resolvers?" "Why am I resolving a domain name that was just added into
the DNS an hour ago but has already changed NS servers 50 times?"
These questions, and more (but I'm biased to DNS), can be solved at the
edge for those who want them. It's decentralized there. It's done the
right way there. It's also doable in a safe and fail-open kind of way.
This is what I'm talking about.
After all, nobody's security being affected by the edge of some end-user
machine on the other side of the world is irrelevant to my edge
security. FUSSP.
DNS abuse is mostly not an edge issue.
I disagree. DNS is the enabler for many many issues which are edge
issues. (Botnets, spam, etc)
-David Ulevitch
Gadi.
-David Ulevitch