Dan Kaminsky Suggests Having Fun with DNS

← Back to Stories (view on slashdot.org)

Dan Kaminsky Suggests Having Fun with DNS

Posted by timothy on Monday June 21, 2004 @10:38AM from the bits-is dept.

boogahsmalls writes "A few weekends ago Dan Kaminsky of scanrand fame presented some pretty cool ideas involving DNS that made plenty of heads spin at the LayerOne Technology Conference. Some of his concepts included Voice over DNS and storing Knoppix in a DNS cache. He's also apparently got a couple new tools in the pipe including a scanrand based DNS scanner and a visualization suite. Could another version of Paketto Keiretsu be in the works?" (OpenOffice.org does a great job of opening the PowerPoint slideshow.)

8 of 212 comments (clear)

Min score:

Reason:

Sort:

Re:Great Article by Anonymous Coward · 2004-06-21 10:56 · Score: 3, Interesting

No, I guess I shouldn't. That was kind of elitest of me and I apologise. It's just frustrating sometimes to see a really good article on slashdot, digging in to hopefully read some good comments about it, and finding people can only post "humourous" stuff or other equally lame stuff. If I don't understand an article, I don't post on it.

You're also right about the powerpoint, it would have obviously been much better for us if we'd been there to hear his presentation. It still gives us a good insight to his ideas though.

Bob
Some of this stuff really makes alot of sense by mcrbids · 2004-06-21 11:08 · Score: 4, Interesting

Forget the current legal nightmare of this proposal - just roll with me...

This guy proposes putting content (eg Knoppix) into DNS.

Why is DNS particularly not well suited for this kind of distribution mechanism?

Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.

I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...

DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?

Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.

Where's the bad part of this idea?

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
1. Re:Some of this stuff really makes alot of sense by markov_chain · 2004-06-21 11:24 · Score: 3, Interesting
  
  Content would probably get cached better with BT than DNS because of the dynamically constructed network topology. The caching in DNS works as well as it does because it happens along the domain name hierarchy (duh). The default topology probably wouldn't be very efficient for content.
  
  Further, DNS would need to be upgraded. There is a good reason that short-term, experimental applications are better done at the ends; read the End-to-end arguments in system design for further insights.
  
  --
  Tsunami -- You can't bring a good wave down!
2. Re:Some of this stuff really makes alot of sense by Bagheera · 2004-06-21 11:48 · Score: 4, Interesting
  
  Forget the current legal nightmare of this proposal - just roll with me...
  
  Were that we could...
  
  Why is DNS particularly not well suited for this kind of distribution mechanism?
  
  Because DNS is designed to handle its hierarchical data, not massive amounts of content? The extra fields available in DNS are there fo, well, DNS related stuff.
  
  Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.
  
  I know you meant the MPAA, not the RIAA, but I think their biggest problem will be letting go of their deep seated need for control, rather than bandwidth. They can afford the pipe. And I, for one, would be incredibly pissed off to find the RIAA (or any other commercial service) caching their stuff on MY name server.
  
  I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...
  
  Like, say, USENET?
  
  DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?
  
  We do. Millions of times a day. We use it every time we translate a name to an IP number. Looking up, say www.slashdot.org
  
  Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.
  
  Highly unlikely. A highly effecient system dedicated to caching content will almost certainly be better than trying to do the same thing with DNS. It's simply not made for it.
  
  Where's the bad part of this idea?
  
  Inefficiency. Load on already stressed servers. Better existing solutions. Should I go on?
  
  Dan's come up with some brilliant ideas over time. Definately A Geek's Geek. But this one sounds a lot more like one of his thought experiments than an actual proposal. Like directly burning CD's over an SSH tunnel...
  
  --
  Never attribute to malice what can as easily be the result of incompetence...
Where's the innovation? by Have+Blue · 2004-06-21 11:12 · Score: 3, Interesting

DNS is just a pervasive and well-organized caching broadcast protocol, isn't it? Right now, all it's been used to transmit is mappings of ASCII strings to IP addresses, and ancillary data related to that. Why is using it to transmit anything else particularly innovative? We didn't see this much enthusiasm when someone figured out how to send Knoppix over HTTP or Usenet.
Sticking Knoppix distro in a DNS cache.... by NemosomeN · 2004-06-21 11:20 · Score: 3, Interesting

Discussed YEARS ago with the possibility to sticking the source of DeCSS into a DNS cache (Among other things). I would put the source in an HTML comment here, but alas, no comment tags.

--
I hate grammar Nazi's.
Re:Put up or shut up. by Carnildo · 2004-06-21 12:10 · Score: 3, Interesting

http://cr.yp.to/djbdns/guarantee.html

The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.

Examples of problems that do not qualify:

* Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

Says it right there. It's a DoS attack that, by means of a series of specially-selected queries, forces worst-case behavior out of the caching algorithm.

--
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Re:Great Article by jovetoo · 2004-06-21 12:31 · Score: 5, Interesting

His techniques allow someone to set up a cryptographically secure network that most likely completely ignores firewalls. It features high bandwidth-high latency connection, low bandwidth-low latency connections and is virtually untraceable, even to both parties involved in the connection. An initial hostname and time would act as the 'phonenumber'. (By keeping a certain request alive, one can even implement a dailing service with TTL delay.) A message service is freely included.
It is virtually impossible to shut these networks down without replacing/patching dns. Not an easy task.
The bandwidth available to this network most likely exceeds that of most irc-botnets. Especially since the root servers are defending themselves against DDoS attacks.
The tools he's still developing might be able to trace these things but it will still require cooperation of dns server administrators (to get their logs). You will never get them all and you'll have a LOT data to process. Accorfing to this the ICS root server continuosly handles almost 8Mbps (and can handle upto 80Mbps) of traffic. I seriously doubt they can log that... (if so, transferring the logs would continually consume a healthy percent of the servers bandwidth.)
Pretty smart man indeed and very idealistic or shortsighted. Both the right and the wrong sort of people would pay a lot of money for that...