IN TXT & NULL trash records
Paul Vixie
paul at redbarn.org
Thu Nov 22 20:47:32 UTC 2018
ѽ҉ᶬḳ℠ via Unbound-users wrote:
> Thanks for the elaboration. It would be cool indeed if the resolver
> would be able to detect anomalies in DNS traffic (and deploy counter
> measures) but suppose that is beyond the realm/scope of a resolver ...
the caching recursive name server remains an excellent control point for
network, user, and application security. however, instrumentation
(something like 'dnstap') and control (something like DNS RPZ) are best
externalized through standard API's (something like DNS RPS) so that the
logic of detecting and controlling unwanted or dangerous DNS content or
traffic can be competitive, transparent, and multi-vendor.
see the attached pencil diagram.
> and left to tools dealing with packet/payload inspection/analyses,
> notwithstanding the DoH traffic you mentioned.
DoH, by offering malware an over-the-top path to DNS content which can
be neither filtered nor controlled by a network operator, will have to
be widely blocked by enterprise and SoHo networks. this will sometimes
take the form of whitelisting, other times blacklisting, often HTTPS
MiTM, wider deployment of SOCKS, and more restricted BYOD policies. so,
that game is beginning, but the old game is still going. neither the
attackers nor the defenders will ever say, "ok ok, you've changed the
rules, i guess i'll give up and do things your way now."
--
P Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_20180801_163350 (1).jpg
Type: image/jpeg
Size: 3271962 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181122/a9c7de91/attachment.jpg>
More information about the Unbound-users
mailing list