Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

Tue, 04 Aug 2015 12:04:22 -0700 

On Wed, Aug 05, 2015 at 02:39:18AM +1000, Mark Andrews wrote:
> 
> In message <9c2aca5a-755d-4fcf-8491-745a1f911...@puck.nether.net>, Jared 
> Mauch writes:
> > I recommend using DNSDIST to balance traffic at a protocol level as you can 
> > h=
> > ave implementation diversity on the backside.=20
> > 
> > I can send an example config out later for people. You can balance to bind 
> > N=
> > SD and others all at the same time :-) just move your SPoF
> > 
> > Jared Mauch
> 
> Unless the same client hits the same server all the time this is a
> bad idea.

        Software that can't handle the remote side having a
upgrade/downgrade/capability change is broken.

> Resolvers actually track capabilities of servers as it is the only
> way to get answers due to firewalls dropping legitimate packet and
> protocol misimplementations.  Add to that different vendors /
> versions supporting different extensions randomly flipping between
> vendors / versions is frought with danger unless you take extreme
> care.

        I've come to use DNSDist to workaround the problems
that BIND has with outstanding queries which don't get a response.

        You might be surprised how poorly BIND performs if you
use something else to take a look at it from the exterior.

        http://puck.nether.net/~jared/dnsdist.png

        The first two are BIND the 3rd is not and the 4th is BIND.

        The last 3 get the same types of queries, notice how BIND
drops lots of queries.  I don't have time to report all the DNS related
issues on bind-users/dev but you may find it helpful to use a tool
like this to at least identify what is going on.

        The last 3 servers get only domains like arpa and a few well
known domains, eg: gmail.

        - Jared

> > > On Aug 4, 2015, at 10:03 AM, Jay Ashworth <j...@baylink.com> wrote:
> > >
> > > Everyone got BIND updated?
> > >
> > >
> > http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c
> > ould-hamstring-huge-swaths-of-internet/
> > > --
> > > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

Reply via email to