DNS wierdness and cox communications
Joseph Sinclair
plug-discussion at stcaz.net
Sun Aug 10 15:07:03 MST 2008
Ed wrote:
<<SNIP>>
> check /etc/resolv.conf for the dns you are using - dhcp will
> rewrite/prepend this file if your lease includes dns servers (most do)
>
> if there are delays - check that the first & second nameserver entries
> are reachable - network timeout delays are the most likely delay that
> you might notice. then you can compare how either sets of servers work
> for you.
>
> If you run your own cache, it is time to patch to the latest dns
> server and get ready for DNSSEC, it will be required soon. The recent
> security problem was based on a session intercept (I think, could be
> wrong) so you may have folks seeing incomplete man-in-the-middle
> attacks? outside of your ISP's network.
>
> Anybody able to describe what the new DNS attack would look like to a
> user/in the logs?
> Ed
I'm no expert on this one, but as I understand it, the new attack would appear to the user a lot like old-school cache poisoning; you'd initiate a query for a record and just get wrong results.
It's conceivable that the drops they're seeing could be failed attacks, but it's more likely that it's just poor QoS for DNS queries resulting in excessive packet drops.
More information about the PLUG-discuss
mailing list