Hi, > On 23 Sep 2020, at 20:27, Michael Richardson <[email protected]> wrote: > > Yes, the CPE could look at the DNS queries the device is using, and then > cache them. Or, when it loads the MUD file, it could do a DNS lookup on all > the names, and cache them. Then, when the device asks, it is already cached, > and one can be sure that a known IP/name combination is returned. > If it does this DNS lookup on a regular basis (updating the MUD ACLs > implemented in the forwarding plane), then the cache stays warm, and the > rules are accurate. > > This is how our implementation worked.
Either this, or there should be a relationship between the resolver and the AP/switch/firewall/CPE in which appropriate query responses are shared. That might be the better long term approach. What is key- in order for protection to work, the infrastructure needs to know (1) what names are authorized and (b) their associated addresses. As important, its understanding must be the same as that of the device that makes the query. Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
