Re: Security expert?
The current DNS problems seem almost hopeless
The problem with DNS is actually quite easy to solve - it's just expensive.
All we need to do is to phase out DNS over UDP - by turning off or firewalling the UDP responder - and get DNS clients to start using TCP by default[1]. This solves the problem of address spoofing[2], at the cost of significantly higher DNS traffic.
Vic.
[1] Current DNS clients will fall back to TCP if the UDP attempt is unsuccessful. That generally means a 20-second wait. If UDP becomes likely to fail, I can see the behaviour changing quite rapidly...
[2] Address spoofing over TCP is pretty much impossible without co-operation from the spoofed address or the ISP providing it as you need the ACKs for the connection to progress.
Biting the hand that feeds IT
