PowerDNS Recursor 3.0 released, challenging dominant nameservers

Posted by bert hubert Thu, 20 Apr 2006 14:27:00 GMT

PowerDNS Recursor version 3.0 has just been released, I’m relieved to say. Read all about it in the release notes.

To quote:

We consider this version of the PowerDNS recursor to be the most advanced resolver publicly available. Given current levels of spam, phishing and other forms of internet crime we think no recursor should offer less than the best in spoofing protection. We urge all operators of resolvers without proper spoofing countermeasures to consider PowerDNS, as it is a Better Internet Nameserver Daemon.

As mentioned previously, the new recursor is at least 64000 times harder to spoof than previous releases. Briefly, spoofing involves feeding a nameserver fake answers by making educated guesses about what questions it is asking. If one guesses right quickly enough, the nameserver believes the ‘spoofed’ answer, and email as well as web traffic can be redirected to malicious sites. This is obviously a big problem.

Previously, of major nameservers, only dnscache (tinydns) and presumably Nominum CNS offered decent protection against this phenomenon. PowerDNS has now joined this club, and goes further by not just being harder to spoof but by also detecting (and shielding) when an attempt is made.

I took this up with the people who program BIND, because it worries me that the dominant recursor is also the recursor that is easiest to spoof, and they are pondering improving BIND in this respect. But what I miss is the sense of urgency.

The internet has turned into a hostile place. Not too many years ago it was common for servers to heplfully relay other people’s email, these days such a server (known as an open relay) becomes a conveyor of gigabytes of spam within a few hours.

Running a spoofable recursor is the moral equivalent of running an open relay - it allows spammers and other miscreants to use the internet for their ends, on your dime. In fact, an open relay is less of a worry - relaying spam is simply a nuisance, but having your customers redirected to malicious sites, or letting their email be diverted is far worse!

So I hereby call on all nameserver operators and software authors to follow the lead of Dan Bernstein’s dnscache and now PowerDNS, and work dilligently on rooting out spoofing. Either change your recursor to PowerDNS or dnscache, or convince the authors of your vulnerable nameserver to clean up their act.

To read more, head over to this article on dns spoofing, or read my previous writings on this subject

Posted in  | Tags , , ,  | no comments | no trackbacks



Use the following link to trackback from your own site:

Comments are disabled