Re: [ga] Rogue (Fraudulent) DNS Servers?

[Karl Auerbach <karl@xxxxxxxxxxxx>]

Matthew Pemble wrote:

> http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html
> The researchers estimate that there are 17 million open-recursive DNS
> servers
If you are running Bind it is possible to create "views" that will, I 
believe, defeat this concern.  (Of course, if the underlying OS is 
Windoz all bets are off.)
On my own resolvers I have an external view in which my resolvers will 
answer queries only for names for which my servers are authoritative. 
Unless a query source qualifies for my internal view, below, it gets the 
external treatment - which means that if you ask one of my servers for 
some j-random name that isn't one of mine it'll tell you to go pound sand.
I have an internal view which is available to machines on my address 
blocks (and a few others).  In that view my resolvers will do a lookup 
on any query name.
It's not too hard to set this up - bit not trivial.  For example, take a 
look at http://www.cymru.com/Documents/secure-bind-template.html
                --karl--