Re: medicare.gov / cms.gov DNSSEC Validation Failures
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: > I'm looking for a DNS contact for medicare.gov (and cms.gov). They are > failing DNSSEC validation. Ditto. Similar to uspto.gov not too long ago. Try posting to dns-operations. https://lists.dns-oarc.net/mailman/listinfo/dns-operations Almost certainly some *.gov dns admins lurking there. Cheers, Nate Itkin
Re: he.net down?
On Mon, Oct 03, 2011 at 11:14:03PM +, Michael J McCafferty wrote: > Our session with them is up and down at Any2 at OWB. > > --Original Message-- > From: Aiden Sullivan > To: nanog@nanog.org > Subject: he.net down? > Sent: Oct 3, 2011 3:35 PM > > www.he.net seems to be down on both IPv4 and IPv6 -- does anyone know what is > going on? > -- > Aiden > Sent from my Verizon Wireless BlackBerry Blaming DDOS. http://status.linode.com "The incident was a probable DDOS attack, but its behavior was unusual and difficult to identify. Our network engineers made some adjustments to the DOS countermeasures acquired after last week's incident, and that seems to have stabilized traffic flow. We apologize for the inconvenience. -Ben Larsen Hurricane Electric Internet Services" Some supporting evidence would be nice. - Nate Itkin
Re: Linux: concerns over systemd adoption and Debian's decision to switch
Often presented with an alternate spelling from those of us who had to live with it. On Tue, Oct 21, 2014 at 01:44:17PM -0700, Eric Brunner-Williams wrote: > >systemd is insanity. > > see also smit.
Re: Craigslist hacked?
Looking at San Diego. Suspecting an issue with Google DNS. Google--> dig @8.8.8.8 cities.l.craigslist.org. +short 74.63.219.135 My resolver--> dig cities.l.craigslist.org. +short 208.82.238.226 Authoritative--> dig @208.82.236.210 cities.l.craigslist.org. +short +norec 208.82.236.242 On Sun, Nov 23, 2014 at 10:59:35PM -0500, Brian Henson wrote: > Im seeing it resolve to 74.63.219.135 on my network and on > http://whois.domaintools.com/craigslist.org > > On Sun, Nov 23, 2014 at 10:57 PM, Quinn Kuzmich > wrote: > > > CoSprings list is coming up fine. > > > > On Sun, Nov 23, 2014 at 8:41 PM, Brian Henson wrote: > > > >> Is anyone else seeing their local craigslist redirected to another site > >> other than craigslist? I see it loading http://digitalgangster.com/5um. > >> > > > >
Re: Tightened DNS security question re: DNS amplification attacks.
On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote:
> < ... snip ... >
> dns queries to the . hint file
> are still occuring and are not being denied by our servers. For example:
> 27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view
> external-in: query: . IN NS +
> < ... snip ... >
> since you can't put a "allow-query { none; };" in a hint zone, what can I do
> to deny the query to the . zone file?
AFAIK, that's about the best you can do with the DNS configuration. You've
mitigated the amplification value, so hopefully the perpetrator(s) will drop
you. If you're willing to keep up with the moving targets, the next level
is an inbound packet filter. Add to your inbound ACL:
deny udp host 64.57.246.146 neq 53 any eq 53
Also on this topic:
Coincident with this DNS DOS, I started seeing inbound PTR queries from
various hosts on 10.0.0.0/8 (which are blackholed by my DNS servers).
They receive no response, yet they persist. Anyone have thoughts on their
part in the scheme?
Best wishes,
Nate Itkin
Re: Tightened DNS security question re: DNS amplification attacks.
On Wed, Jan 28, 2009 at 10:36:29AM +1100, Mark Andrews wrote: > < ... snip ... > > > deny udp host 64.57.246.146 neq 53 any eq 53 > > Which pre-supposes that 64.57.246.146 os not emitting queries of > its own. > BCP 140 looked at this problem and concluded that sending > REFUSED was the best general guidance that can be given. > While BCP 140 applies to recursive servers, returning REFUSED > to queries which are not within the namespace served by > authoritative servers is entirely consistant with BCP 140. Agree. Thank you for catching that. I should have elaborated that one must be very judicious about adding ACLs for the reasons you mentioned. One of the DOS victims had explicitly said not to expect queries from two of the recent targets, but yeah, not necessarily a good plan in the general case. Best wishes, Nate Itkin
Re: Security Guideance
On Tue, Feb 23, 2010 at 02:46:54PM -0500, Paul Stewart wrote: > The problem is that a user on this box appears to be launching high > traffic DOS attacks from it towards other sites. It's possible the user inadvertently enabled the same exploit after you rebuilt the system. I suggest caution with assigning culpability. Nate Itkin
Re: FCC releases Internet speed test tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 12, 2010 at 08:43:22AM -0500, Marshall Eubanks wrote: > [ ... ] > http://www.broadband.gov/ If you can't get there, check DNSSEC first Lame server or bad signature: Mar 12 08:57:57 mx1 named[18363]: no valid KEY resolving 'www.broadband.gov/A/IN': 192.104.54.4#53 I'll send e-mail to dns-admin-at-fcc.gov, but that's probably a black hole. If anyone has a contact at fcc.gov, please let them know. Nate Itkin -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJLmpS5AAoJEDCWEYiadXeZqOsH/j8zsyQJHprWW4B2Zy5cdomb mrMbfgIO6uCYPS6CFTEzmFYY9ggTnBTl6UR3E5X73riBlp+mocM+VP0l9J3LB90Y uzVjItZEpnXjZ1ZfuneLXH9MisU5LXRfWMgTNU/vW1UtTW9pNGqp41eQp7/7Ojg7 r9c7pXwhga1UEpkORV/4fbDUXy8liI5CPaybF9YkePcUFhUAPLC1PqibgUPcQ4Ob L3H3jq6c2XP/bK4c7k/tJ39JO02EsaR7JrOriHFrRqN/NfAbuhnLiJpgnEWBHmOL 9ilqWeVs0AVimIgM7fdUelooWUt2NGzOtuHP1UcdyB4ADFazwJI9N09IaVvn7l4= =5r1z -END PGP SIGNATURE-
Re: NTP clock source
On Thu, Mar 25, 2010 at 05:51:56AM -0700, Kyle Bader wrote: > Can anyone recommend a solid clock souce (stratum 0) that's not overly > expensive? The Endrun Technologies product worked well for me. After an initial set-up, it was maintenance free. I couldn't install a rooftop antenna so I needed the CDMA receiver. http://www.endruntechnologies.com/network-time-server.htm Nate Itkin
