-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Dec 6, 2009 at 5:30 PM, Danny McPherson <[email protected]> wrote:
> > I think one of the things that concerns me most with Google > validating and jumping on the DNS "open resolver" bandwagon > is that it'll force more folks (ISPs, enterprises and end > users alike) to leave DNS resolver IP access wide open. > Malware already commonly changes DNS resolver settings to > rogue resolvers, and removes otherwise resident malcode from > the end system to avoid detection by AV and the like. > > One of the primary recommendations I give to enterprises is to > force use of internal resolvers, and log all other attempted > DNS resolution queries elsewhere, it's a quick way to detect > some compromised systems. [...] Indeed -- as this is exactly what we have seen, as discussed in the good white paper by Antoine Schonewille and Dirk-Jan van Helmond in 2006 (I've used this paper as a a reference many times), "The Domain Name Service as an IDS: How DNS can be used for detecting and monitoring badware in a network": http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLHFxJq1pz9mNUZTMRAti9AKDYQalIoQ5aHDjsRzU9bz6ulxVLUwCePYbW v3KSVdE37Uyz/GXhC0dhaA0= =K0HW -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
