IN TXT & NULL trash records

Paul Vixie paul at
Thu Nov 22 20:47:32 UTC 2018

ѽ҉ᶬḳ℠ via Unbound-users wrote:
> Thanks for the elaboration. It would be cool indeed if the resolver
> would be able to detect anomalies in DNS traffic (and deploy counter
> measures) but suppose that is beyond the realm/scope of a resolver ...

the caching recursive name server remains an excellent control point for 
network, user, and application security. however, instrumentation 
(something like 'dnstap') and control (something like DNS RPZ) are best 
externalized through standard API's (something like DNS RPS) so that the 
logic of detecting and controlling unwanted or dangerous DNS content or 
traffic can be competitive, transparent, and multi-vendor.

see the attached pencil diagram.

> and left to tools dealing with packet/payload inspection/analyses,
> notwithstanding the DoH traffic you mentioned.

DoH, by offering malware an over-the-top path to DNS content which can 
be neither filtered nor controlled by a network operator, will have to 
be widely blocked by enterprise and SoHo networks. this will sometimes 
take the form of whitelisting, other times blacklisting, often HTTPS 
MiTM, wider deployment of SOCKS, and more restricted BYOD policies. so, 
that game is beginning, but the old game is still going. neither the 
attackers nor the defenders will ever say, "ok ok, you've changed the 
rules, i guess i'll give up and do things your way now."

P Vixie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_20180801_163350 (1).jpg
Type: image/jpeg
Size: 3271962 bytes
Desc: not available
URL: <>

More information about the Unbound-users mailing list