Dear Friends,
There is potentially a huge DNS problem that is about to hit the
internet on a scale comparable with spam e-mail.
It can be solved by patching the DNS resolver you use but:
- the DNS resolver of your home router is impossible to patch
- the DNS servers of Indian ISP's have currently not been patched
Thus the problem affects *all* users who use the 'net from home.
Note that running your own caching name servers may not help if your
home router is an appliance style NAT firewall between your name
server and the net. That device may effectively be de-randomising your
DNS lookup requests.
Please check your DNS service via www.doxpara.com (which is Dan
Kaminsky's web site) and if your ISP is at fault --- bug them!
Another step which is currently expensive may be to buy a home router
that runs GNU/Linux. You can then patch to get 2.6.24 kernel which
randomises ports while doing NAT.
A cheaper solution for both problems is for all users to switch their
home computers/routers to use a safer DNS service.
One such service is www.opendns.com. If people know of other such
services, they should let their friends know.
The problem with some of these services is that when the name lookup
fails they re-direct the lookup to their own sites "for advertising".
To mitigate this we could offer our own name servers for recursive
lookup instead of www.opendns.com and the like. The problem would be
how we could keep the load at reasonable levels. We could use traffic
shaping to limit the use of bandwidth for this to reasonable levels.
Suggestions welcome.
Regards,
Kapil.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url :
http://www.ae.iitm.ac.in/pipermail/ilugc/attachments/20080726/04eab36a/attachment.bin
