In message <201206130045.q5d0joit078...@aurora.sol.net>, Joe Greco writes:
> >
> >
> > In message <201206122327.q5cnru5s077...@aurora.sol.net>, Joe Greco writes:
> > > > In message ,
> Ton
> > > y Fi
> > > > nch writes:
> > > > > Mark Andrews wrote:
> > > > > >
> > > > > > Perhaps because it i
>
>
> In message <201206122327.q5cnru5s077...@aurora.sol.net>, Joe Greco writes:
> > > In message ,
> > > Ton
> > y Fi
> > > nch writes:
> > > > Mark Andrews wrote:
> > > > >
> > > > > Perhaps because it is a legitimate, though unwise, client source port
> > > > > that is in lots of old configu
In message <201206122327.q5cnru5s077...@aurora.sol.net>, Joe Greco writes:
> > In message , Ton
> y Fi
> > nch writes:
> > > Mark Andrews wrote:
> > > >
> > > > Perhaps because it is a legitimate, though unwise, client source port
> > > > that is in lots of old configurations.
> > > >
> > > >
> In message , Tony
> Fi
> nch writes:
> > Mark Andrews wrote:
> > >
> > > Perhaps because it is a legitimate, though unwise, client source port
> > > that is in lots of old configurations.
> > >
> > > listen-on { ; };
> > > query-source * port 53;
> >
> > I did this back in the 1990s becaus
In message , Tony Fi
nch writes:
> Mark Andrews wrote:
> >
> > Perhaps because it is a legitimate, though unwise, client source port
> > that is in lots of old configurations.
> >
> > listen-on { ; };
> > query-source * port 53;
>
> I did this back in the 1990s because it worked around o
On 6/12/2012 12:34 PM, Edward Lewis wrote:
> At 14:18 + 6/10/12, Paul Vixie wrote:
>
>> thinking about or acting against ANY is bad infosec economics.
>
> This I agree with. Here are some of my knee-jerk, anti-filtering
> thoughts:
>
> 1 - DNS providers are paid to answer questions, not drop t
On 6/12/2012 8:13 PM, Florian Weimer wrote:
> * Paul Vixie:
>
>> Vernon Schryver and Paul Vixie have been working on DNS Response Rate
>> Limiting (DNS RRL) as a patch set to BIND9 (9.9.1-P1 or 9.8.3-P1) and we
>> are ready for broader external testing.
> It seems rather straightforward to force re
* Paul Vixie:
> Vernon Schryver and Paul Vixie have been working on DNS Response Rate
> Limiting (DNS RRL) as a patch set to BIND9 (9.9.1-P1 or 9.8.3-P1) and we
> are ready for broader external testing.
It seems rather straightforward to force recursive resolvers to hit
the rate limit. Why isn't
On Jun 10, 2012, at 23:59, Kyle Creyts wrote:
> On Sun, Jun 10, 2012 at 2:33 PM, Paul Vixie wrote:
>>> I'm afraid we may need more control. If my clients are generating a DDoS
>>> attack at 20 responses per second, and I limit this to 5 per second -
>>> the C&C can get the same effect by mobilizi
On Jun 12, 2012, at 14:46, Stephane Bortzmeyer wrote:
> On Sun, Jun 10, 2012 at 01:25:06PM +0200,
> DTNX Postmaster wrote
> a message of 37 lines which said:
>
>> Google is known to be obsessed with latency, for example, so I
>> wouldn't be suprised if they deliberately request ANY and then par
> From: sth...@nethelp.no
> I have several gigabytes of pcap from *my* DNS clients indicating that
> for the majority of clients this is *not* the case. Source port is
> generally >= 1024 and seems pretty randomized (without having done any
> deeper analysis of this). A small minority of clients a
{warning to self: sliding off topic}
On Tue, Jun 12, 2012 at 02:46:12PM +, Vernon Schryver wrote:
> Besides, local DNSSEC validating, regardless of ISP port 53 blocks,
> is the fix for those concerns.
not really. It helps "mitigate" lies, but does not reinstantiate
access to helpfully suppr
Edward Lewis wrote:
> We've collectively known about Dan Bernstein's use of t=ANY for a decade
> and we know he's reluctant to listen to calls for change nor make the
> change.
It's a bit unfair to blame DJB for bugs in software he abandoned 14 years
ago and which is now maintained by other peop
On Jun 12, 2012, at 11:42 AM, Vernon Schryver wrote:
>> From: Tony Finch
>
>>> Yes, how is BCP 38 deployment going?
>>
>> Someone on NANOG recently mentioned http://spoofer.csail.mit.edu/
>
> http://rbeverly.net/research/papers/spoofer-imc09.html
> and the last slides in
> http://rbeverly.net
At 14:18 + 6/10/12, Paul Vixie wrote:
thinking about or acting against ANY is bad infosec economics.
This I agree with. Here are some of my knee-jerk, anti-filtering thoughts:
1 - DNS providers are paid to answer questions, not drop traffic.
2 - Rate limits that are not managed eventuall
> People have been repeating the "DNS clients send from port 53" claim
> for almost as long as others talking about blocking port 25. Is
> it valid for consumer ISP customers? I bet not, but I don't know.
I have several gigabytes of pcap from *my* DNS clients indicating that
for the majority of
> From: Tony Finch
> > Yes, how is BCP 38 deployment going?
>
> Someone on NANOG recently mentioned http://spoofer.csail.mit.edu/
http://rbeverly.net/research/papers/spoofer-imc09.html
and the last slides in
http://rbeverly.net/research/papers/spoofer-imc09-presentation.pdf
suggest that relying
On 6/12/2012 10:16 AM, Vernon Schryver wrote:
From: Ken A
To: dns-operati...@mail.dns-oarc.net
On a authoritative + recursive server, instead of a separate view, we use:
acl "trusted" { x.x.x.x/z; };
allow-recursion { trusted; };
Is there any way to apply this patch so that it does not affe
> From: Ken A
> To: dns-operati...@mail.dns-oarc.net
> On a authoritative + recursive server, instead of a separate view, we use:
> acl "trusted" { x.x.x.x/z; };
> allow-recursion { trusted; };
>
> Is there any way to apply this patch so that it does not affect a
> specific acl, such as "trusted
Vernon Schryver wrote:
>
> Yes, how is BCP 38 deployment going?
Someone on NANOG recently mentioned http://spoofer.csail.mit.edu/
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Biscay: West or northwest 4 or 5, occasionally 3 later. Moderate. Thundery
showers. Good.
I don't really think that is the ISPs business to 'correct' 'unwise'
behaviour on the part of equipment. The devil is in the details. What
does an ISP mean by 'correct' or what is 'unwise' ?
Whatever filtering you can currently seem a 'good idea' quickly becomes
abused, misunderstood and applied l
On Jun 12, 2012, at 4:14 AM, Stephane Bortzmeyer wrote:
> On Tue, Jun 12, 2012 at 03:32:56AM +,
> Vernon Schryver wrote
> a message of 76 lines which said:
>
>> Joe and Joan should be using their ISP's validating, load balancing,
>> well (or at least somewhat) maintained DNS servers, just
On 2012-06-12 2:33 PM, Ken A wrote:
>
> On a authoritative + recursive server, instead of a separate view, we
> use:
> acl "trusted" { x.x.x.x/z; };
> allow-recursion { trusted; };
>
> Is there any way to apply this patch so that it does not affect a
> specific acl, such as "trusted" addresses?
no
> From: Nicholas Suan
> However since 53/udp is stateless, and 25/tcp is not, you cast a much
> wider net blocking port 53 inbound than you do with port 25. At least with
> port 25 you can look at the tcp flags and recognize this is a new connection
> without keeping connection state.
Either I d
On a authoritative + recursive server, instead of a separate view, we use:
acl "trusted" { x.x.x.x/z; };
allow-recursion { trusted; };
Is there any way to apply this patch so that it does not affect a
specific acl, such as "trusted" addresses?
Or, is it recommended/required that we configure
On Sun, Jun 10, 2012 at 01:25:06PM +0200,
DTNX Postmaster wrote
a message of 37 lines which said:
> Google is known to be obsessed with latency, for example, so I
> wouldn't be suprised if they deliberately request ANY and then parse
> and cache the results for a multitude of uses.
But that's
Mark Andrews wrote:
>
> Perhaps because it is a legitimate, though unwise, client source port
> that is in lots of old configurations.
>
> listen-on { ; };
> query-source * port 53;
I did this back in the 1990s because it worked around occasional interop
problems, I think caused by ov
On 06/12/2012 05:32 AM, Vernon Schryver wrote:
> Joe and Joan should be using their ISP's validating, load balancing,
> well (or at least somewhat) maintained DNS servers, just as they should
> be using their ISP's SMTP systems.
> Just as Apple, Adobe, Google, Microsoft, and Mozilla are now insta
On Tue, Jun 12, 2012 at 03:32:56AM +,
Vernon Schryver wrote
a message of 76 lines which said:
> Joe and Joan should be using their ISP's validating, load balancing,
> well (or at least somewhat) maintained DNS servers, just as they
> should be using their ISP's SMTP systems.
A strong NO h
On Jun 12, 2012, at 1:44 PM, Peter Koch wrote:
> Are we sure the problem is only with the CPEs?
It most definitely is not.
The *real* problem is, to beat the dead horse yet again, lack of anti-spoofing
deployment at the access edge. The rest of this discussion is tactical.
--
30 matches
Mail list logo
