This idea has been around for well over a decade. Maintaining a discrete list of what is allowed which can be completely enumerated with a great level of confidence and block the rest. Badness cannot be enumerated completely. Blacklists will always be missing important aspects. Expecting that all people are good and don’t do bad things will always turn bad.

Patches released for DNS services that are vulnerable do not fix the root cause. It can’t be fixed because it is part of the original specification and migrating away from it will be equally as painful as the migration to IPv6 is. These patches only implement other kinds of mitigation for the exploit. The best form of mitigation comes in the form of implementing standard best practices that have been around for many years.

DNS servers should carefully control who is allowed to ask questions about non-authoritative zones (recursion). DNS servers at ISPs should limit recursion to customers only. Corporations should run internal recursive DNS servers with access restricted to internal users only. This will severely isolate any damage caused by cache poisoning.

I am not saying nobody needs to patch their servers. In fact the patches should be applied quickly because it does help quite a bit. I am just saying that if you have already implemented best practices you shouldn’t have to worry very badly. And if you haven’t implemented them, do it now!

I once saw an article describing this dilemma. Basically all tasks can be broken into categories based on the difficulty of the task and the frequency of the task. Steps to reduce the time and effort to do these tasks should be prioritized by category. Tasks that are easy to do, that you do frequently, should have shortcuts applied when possible. An example might be using your shell’s alias feature. Tasks that are easy, that you do rarely, don’t bother over complicating it yet. Hard stuff that you do frequently should be automated as much as possible. Perhaps you could try your hand at Shell or Perl scripting. Those rare tasks that take some time on your part should be clearly documented to take out the guess work, perhaps even include copy/paste’able code fragments as well.

I highly suggest these two books by Thomas Limoncelli. The Practice of System and Network Administration, and Time Management for System Administrators. The first book covers a lot of general theory of system administration, not necessarily platform specific but there is lost of unix information. The second book offers excellent ideas and tips on managing your time better, reducing distractions, and getting rid random people interrupting you to ask why their email is slow.