ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Re: Rogue (Fraudulent) DNS Servers?

  • To: Stephane Bortzmeyer <bortzmeyer@xxxxxx>, Matthew Pemble <matthew@xxxxxxxxxx>, Avri Doria <avri@xxxxxxx>
  • Subject: Re: [ga] Re: Rogue (Fraudulent) DNS Servers?
  • From: JFC Morfin <jefsey@xxxxxxxxxxxxxxxx>
  • Date: Wed, 12 Dec 2007 13:28:12 +0100


The problem with English specifications/RFCs is that it piviliges the concept over the term. So, the "DNS" is many different things under the same name, with different main understandings by users and engineers. We can say that for a user what he receives from the "DNS at large" is the main DNS concern, while for an engineer the main DNS concern is what the "DNS system" will deliver. So, "mal-DNS" is in the DNS for the user, not in the DNS for the engineer.

Practical solutions to this kind of global network issues can only be patched at protocol level. They can only be solved at architectural level. This means a new internet. There are two possible forms for a new internet: a new physical and digital architecture, this is what GENI is at; or a new usage architecture, this is what we (the users) have to work on and experiment (something ICANN called for in 2001 in its ICP-3 document the IETF has disregarded).

The current inability of IETF to address the user's side of the complexity of the problem (and probably the engineering side as we see with IPv6, IDNA, DNSSEC, ROAP, etc.) will most probably reach a no-return point with the InterNAT as the/a practical solution to IP address shortage. From then on we will face in Internet standardization the same as in every other standardization areas: an SSDO diversity, different entities addressing differently the same point. The problem is interoperability among their RFC multiplicity. In the real life/world reality described by the norms insures that interoperability. In the virtual world, the norm defines the virtuality and there is no Internet norm, only IETF standard propositions. To decide if they keep the STD numbers is a current IETF issue.

The mal-DNS is our GNSO priority, because it errodes the whole naming credibility. We are confronted to it via IDNA (phishing through Unicode support failures), we are confronted to it through these Windoz bug. etc. There most probably will be other forms of attacks. Identifying the sources of the problems (lack of presentation layer, unique root, poor support of aliases, etc.) is a priority, like IETF does with ROAP (routing and addressing problem). For the DNS it should be the job of the GNSO. It happens that the GNSO has an IETF member as a Chair, this might help ?
jfc



At 10:51 12/12/2007, Stephane Bortzmeyer wrote:


On Wed, Dec 12, 2007 at 09:12:21AM +0000,
 Matthew Pemble <matthew@xxxxxxxxxx> wrote
 a message of 140 lines which said:

> I assume we will actually have to wait for the survey

Yes, because the IDG paper is mostly crap. Other reports from Dagon
were very good.

> Georgia Tech's and Google's researchers estimate that as many as 0.4
> percent, or 68,000, open-recursive DNS servers are behaving
> maliciously, returning false answers to DNS queries.

That's perfectly possible but since nobody interrogates them, it is
hardly a problem.

> Attackers would then change just one file in the Windows registry
> settings, telling the PC to go to the criminal's server for all DNS
> information.

So, the attack has *nothing* to do with DNS. If the attacker can
change MS-Windows (or any other OS) settings, he can do anything.

[The mention of a "file in the Windows registry" gives a good idea of
the seriousness of the paper.]




<<< Chronological Index >>>    <<< Thread Index >>>