[SLL] who is randomizing DNS source ports? deploying DNSSEC?

Brian Hatch bri at ifokr.org
Sat Jul 26 23:19:21 PDT 2008 

Before I go on, some full disclosure (which should already
be common knowledge to anyone in GSLUG) - I'm a Google
engineer, since April 2007.  And I'm not speaking for them,
I'm speaking as an independent Linux geek.


Nigh 2008-07-25 17:26 -0700, Derek Simkowiak squalked:

>    That particular OpenDNS resolution (re: www.google.com) has been in 
> place since May of last year.  A public forum discussion about it -- 
> hosted by OpenDNS -- is here:
> 
> http://forums.opendns.com/comments.php?DiscussionID=226

The concerns I'd have are raised here, yes.

So first, I'm not a good candidate for opendns in the first place.
I believe in a free and unblocked Internet, including for my kids,
so I'm not someone who would want sanitization of what I can access.

I am also a paranoid freak, which means if I do trust (sparingly)
the sites I visit, that should not require trust on any eliminatable
third party.  Yes, I must trust the 13 root servers.  No, I don't
trust my ISP, I have my resolvers talk to the roots and work their
way up.  I'm certainly not going to trust some other DNS service that
is going to intentionally 'keep me safe'.

But even if I were hoping to have someone block stuff for me,
doing anything beyond a allow/block on IP is going too far.  That's
why something that relays some data through their servers isn't going
to fly with me.  Maybe it sanitises it.  Maybe it reorders things.
Maybe it gets cracked and now some miscreant is in control, not the
organisation I'm trusting to protect me.  Yikes.  The fewer possible
points of interference, the better.

> As far as injecting, I haven't seen anything other than the Google 
> thing, but I know that they filter plenty of AdWare ads for me (because 
> I configured my account that way).  That alone is worth it to me.

I used to want to block all those advertising sites and images.  But
about five years ago I decided that I should allow the mechanism by
which the websites I visit make a profit.  Now I don't click on ads
often (a massive understatement) but I don't block them.

Again, this is a personal decision, and not anything I'd force on
others.  I fully believe one should be able to go to the bathroom
during TV commercials without being accused of stealing, thank you
Mr. Kellner...

> Of course, no 3rd party is as trustworthy to me as me.  But in an 
> Internet age ruled by the likes of Comcast, Verisign, and ICANN, I'm 
> perfectly happy to use the services of a company like OpenDNS.

Eh, I'm going to continue running dnscache against the roots and wearing
my tinfoil hat - it has such a comfortable fit!

I'm happy to discuss/blather offline if folks want, but I'd much rather
get back to the original topic of the DNS security issue and if anyone's
doing DNSSEC - especially if inside (a patched) DJBDNS.

-- 
Brian Hatch                  "I'm going to close my eyes
   Systems and                and pretend I'm sleeping.
   Security Engineer          I'm going to pretend they're
http://www.ifokr.org/bri/     sleeping too."
                             -- Bree
Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists2.linuxjournal.com/pipermail/linux-list/attachments/20080726/dff612de/attachment.sig

More information about the linux-list mailing list