xample and *.com.example.com as "CNAME ." and ensuring
qname-wait-recurse is set to "no". (Probably best to look at your own
traffic with wireshark and identify the low hanging fruit.)
--
Fred Morris
___
dns-operations mailing list
dns
Qname minimization in relaxed mode intentionally triggers NXDOMAIN looking
for e.g. _.anything.example.com
On Thu, 15 Aug 2024, Florian Obser wrote:
It's not a competition but... we are answering 50% NXDOMAIN and that's
considered normal... It's also sad, but what can you do...
__
-checklist.html
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
ng" solution is
Dnstap.
My admittedly cynical response to the question posed here is that the most
common server software is probably a lightweight forwarder (e.g. dnsmasq)
or something which only coincidentally does DNS (e.g. Active Directory).
--
Fred Morris, internet plumber
__
On Fri, 22 Sep 2023, Joe Abley wrote:
Op 22 sep 2023 om 16:26 heeft Grant Taylor het
volgende geschreven:
I have long viewed operational, or better accurate, reverse DNS as an
indication that a network cares enough to set up lesser valued
services.
Me too, actually. I don't personally t
d DNS together I have
what amounts to a federated / distributed SIEM and a menagerie of mostly
command line tools for querying it. I have an irreverent white paper and
a rough cut two minute video covering all of this.
I am open to being part of any conversation about making these mappings
visib
itorializing deleted.)
--
Fred Morris
--
# dig cloudflare-dns.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35599
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 7
;; QUESTION SECTION:
;cloudflare-dns.com. IN A
;; ANSWER SECTION:
cloudflar
er it wants, it just needs to expect the (actual)
server as the first argument and return something to be added as a
dictionary value.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/ma
e
directly as I think this is already tangential to the purpose of this list.
Thank you for understanding...
--
Fred Morris
--
(Are you still reading?)
I'm basically using PTR records like CNAME, but with the semantics "try
all of these". The normal semantics of DNS resolut
disappeared before I could definitely pin it on nscd.)
--
Fred Morris
On Sun, 17 Jul 2022, Fred Morris wrote:
This is probably not a good idea. I've noticed issues resolving stuff
served by them recently, but never put it together.
The thing that finally caught my attention was that e.g.
#
and there is NO TRAFFIC after the DNS lookup.
--
Fred Morris, internet plumber
--
# dig careers-nv5.icims.com
; <<>> DiG 9.12.3-P1 <<>> careers-nv5.icims.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, stat
the internet will be e.g. BIND, Knot, Unbound
(and it will forward to the service for that zone). I'm viewing that as
similar to a WAF. It's read only, it has no ability to write data. It
will serve TXT records. [0]
What's BCP? Thanks in advance...
--
Fred Morris
--
[0] I'm goi
and we haven't solved the resource
naming problem for what it is: why isn't "mail" or "www" unambiguous? What
about "here"? Isn't that really "mail [for here]"?
* Why don't we use the DNS to solve search lists?
I will sit back and wat
cs_Useless.md
The actual "shape of things" is obviously going to depend on what the
network is utilized for. Is anybody else looking at this?
Thanks in advance...
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
their being, want it to be so, to be useful.
No moral to the story, just that there's a story to PTR records.
--
Fred Morris
--
[0] The DNS protocol allows multiple rvalues per type per oname. This
works ok for e.g. A/, is disallowed for CNAME, and is... I'm not sure
what it is
i.e. works with
BIND); works with IPv6.
https://github.com/m3047/rear_view_rpz
Thanks...
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
quot;whois privacy" toggle which
toggles but doesn't do anything.
I've fallen back to TXT records; why the heck not, they're overloaded for
a bunch of "prove you love me" epics already.
--
Fred Morris
___
dns-operatio
ctors for fstrm/protobuf (part of the
project, reusable) and DNS (pythondns):
https://github.com/m3047/shodohflo/blob/master/examples/dnstap2json.py
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://list
r is the /fix/ the original (apache) behavior
was much worse. Firefox just does what it wants to do.
Interior periods are tried “as is” first then with the search list.
Dotless names are tried with the search list then as is.
Browser fetish for "search and URL in the same box"
ragments") isn't received then TC=1 is
never recognized (because the response is never recognized) and TCP is
never tried.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
done with
the discussion now.
On Tue, 25 Aug 2020, Jim Reid wrote:
On 25 Aug 2020, at 03:30, Fred Morris wrote:
I think the question has to be: why would someone be joining this chat channel
and who would they be?
[...]
There’s no justification for this outburst o
Clearly anything can be misunderstood, and I've been around technology
long enough to know that technology choices are hardly rational all of the
time.
On Tue, 25 Aug 2020, Jim Reid wrote:
On 25 Aug 2020, at 03:30, Fred Morris wrote:
I think the question has to be: why would someo
quot;disruption" a.k.a. "market dominance".
OARC, you keep on being your bad selves.
On Mon, 24 Aug 2020, Doug Barton wrote:
[...] Slack comes immediately to mind, but it's far
from the only commonly used platform at the moment.
--
Fred Morris
_
ically the resolver protocol is unchanged since the 1980s. I think some
further thinking should be done!
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
.cisco *cough* .belkin... no it's not COVID, I
seem to have some DNS caught in my throat...)
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
(your legitimate
source address when you reply).
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Depends on what you mean. You might look at "response rate limiting" in
for instance BIND. -- FWM
On Thu, 2 Apr 2020, Tessa Plum wrote:
May I ask if there are any solutions for DDoS mitigation of DNS?
Both commercial or free solutions could be considered.
__
so
increasingly impractical as to obviate consideration?
Should local resolvers reject attempts to resolve single labels as TLDs
unless RD=0?
I apologize, none of this is fully baked, but the debate doesn't seem to
be encompassing the entirety of the system.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
understand the scope of this problem, by the
way.)
Running your own caching resolver and dumping the cache and looking for
stuff is also occasionally advisable; I suspect most of the people on this
list would know this.
--
Fred Morris
On Mon, 25 Nov 2019, Florian Weimer wrote:
Is it
ing perspective, Apache does treat them the same.)
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
in what
they accept?
* If popular clients are getting this wrong... and nobody is noticing... is it
time to retire the notion of FQDNs?
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/
On Saturday 06 June 2015 09:56, Fred Morris wrote:
> [...]
> Thoughts? Comments? Worth reporting?
Somebody thought so. ;-) Bug 58007 has been filed.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lis
You get 400 Bad Request.
Thoughts? Comments? Worth reporting?
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
ople... the
implications, regardless of if they're going to do it or not.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
On Wed, 15 Apr 2015, [utf-8] Patrik F??ltstr??m wrote:
> Part of this discussions is though the difference between registration
> [...] and the delegation [...]
>
> I see personally quite a number of registries that are nervous about XFR
> (or release of the zone in one way or another) are the same
he internet, you really ought to monitor it.)
If we really want to "step up" a rung or two on the operations and
security ladder, communication needs to improve.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.ne
can mean they go to a different server.
So so true. You can use it in some vague way to fingerprint anycast
DNS services. DAMHIK!
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo
ameservers, iff it has nothing whatsoever in cache.
If overwhelming cache was a key consideration, one would think that this
would be surfaced in testing. I haven't looked over on the BIND lists.
--
Fred Morris
--
[Edited for brevity. brian* are names which are not explicitly defined for
the z
have to talk to my employer about that.)
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
On Wed, 28 Jan 2015, Paul Hoffman wrote:
> Are there any Route 53 people on this list? If so, this should be fixed ASAP.
I'm not sure that this is a Route 53 issue, I was trying to run my own DNS
(for "other" purposes). I would characterize it as a tragically uninspired
UX
I just noticed that when configuring firewall rules for an AWS instance,
if "DNS" is chosen then the (only) protocol automagically filled in is
UDP.
To get TCP, you have to create a custom TCP rule.
When you save, the UDP one gets saved as "DNS", the TCP one stays "cu
Is the historic NIC handle DB available anywhere online for search?
--
Fred Morris, FWM6
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https
On Fri, 28 Nov 2014, Mark Andrews wrote:
> Sorting and hashing a zone
... is not mathematically necessary. As a simple counterexample, XOR is
commutative and associative: it doesn't matter the order you XOR multiple
blocks in. Not saying XOR is the One True Way, just that implementation
details li
ative resolvers yourself. But really, I would expect that if the
roots/TLDs were overloaded people would route around the damage as they
are wont to do, probably by running caching resolvers.
--
Fred Morris
___
dns-operations mailing list
dns
The grain of sand that causes this pearl is that TLDs won't just publish the
CNAME without delegation.
That is all...
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinf
ertain?
Are you really sure that the DNS is what is obstreperously impeding your
happy path?
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
if valid, was
provided for a reason and in spite of the presumed knowledge that it might
be misused. Or don't collect the info, and I don't care what ICANN tells
you (see how far that gets you).
That race to the bottom might turn out to be to the bilges of
esolution.
No offense intended, but thanks for the laugh! Try setting up an RPZ with
a dozen or so of the most common third-party "content providers", and tell
me about your page load performance!
--
Fred Morris, internet plumber
___
dns-operat
eting and planning for extra credit.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
On Thu, 17 Oct 2013, Paul Vixie wrote:
> Fred Morris wrote:
> > On Thu, 17 Oct 2013, Jared Mauch wrote:
> >> Most of these "advanced" DNS things like RRL, RPZ and others aren't for
> >> the faint of heart. Most people don't watch/monitor logs li
he 2 IT bods would
continue to argue for outsourcing; however there might be others within
the organization with other concerns or objectives arguing otherwise.
Let me add that rationally speaking IT is not likely to be a core
competency in an organization where the IT resourcing is at a 1:
or have the work cycles to do so). If
I was one of the 2 IT bods, I'd be telling my employer to keep
outsourcing. Depending on the line of work though, somebody else in the
organization could very well be lobbying for the opposite, with specific
concerns in mind.
--
Fred Morris
___
le not on this list. ;-)
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
that you wouldn't/shouldn't have appropriate traffic
monitoring/etc. in place between the server and the rest of the
internet.
Agree/disagree, but there it is...
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https
hat" data scientists?)
If we know that spoofed port queries are traversing peering points, then
we know the networks they're coming from. If we don't know that, then see
above; if we can't shame them, see "Maginot Line".
--
Fred Morris
_
rver, couldn't they? Or anything else.
Point is, since they spoof source addresses, they can spoof source
addresses; it's not even a tautalogy, it's identity.
They're doing it for the amplification.
--
Fred Morris
___
dns-operation
maybe
they need to place a caching resolver in front of their box. ;-) Of course
if these are ANSWER=0 responses maybe the caching resolver isn't caching
the responses...
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc
st of domains that Mozilla won't allow
cookies to be set for.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
On Fri, 14 Dec 2012, Fred Morris wrote:
> dig `rm -rf *`.m3047.net
Although I assume that the subscribers to this list are skilled enough
practitioners to realize (or at least suspect) dangers lurk here, this
list is archived.
So therefore let me state that I suggest that the unwary rea
e a good idea for
a hostname, and therefore delegating zones should not contain non-hostname
labels in their FQDNs.
However the Domain Name System per se imposes no such restrictions on
labels.
Khazakhstan issued domain names starting with a dash for a limited period
of time
at appropriately paranoid (you're not paranoid if they really
are out to get you) nameserver implementations these days won't use what's
in the additional section here because it's out of bailiwick.
Are you using some specific resolver which does?
--
Fred Morris
___
On Fri, 9 Nov 2012, Fred Morris wrote:
> demeter:~ demeter$ dig co.pierce.wa.us +trace
...
> us. 172800 IN NS b.cctld.us.
> us. 172800 IN NS a.cctld.us.
> us. 172800 IN NS c.cc
demeter:~ demeter$ dig co.pierce.wa.us +trace
; <<>> DiG 9.6-ESV-R4-P3 <<>> co.pierce.wa.us +trace
;; global options: +cmd
. 32005 IN NS k.root-servers.net.
. 32005 IN NS l.root-servers.net.
. 32005 IN
owhere.
More likely, practically speaking, it will be decided by whatever search
engine has a deal with the makers of their web browser. Where mail goes
may be entirely somewhere... entirely different.
So this is not a DNS question at all.
I dunno, I guess I don't go to enough meetings
ess blaggers. They'll have
to market a rightside dot, of course.
--
Fred Morris
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
NS c.root-servers.net.
. 283 IN NS a.root-servers.net.
. 283 IN NS k.root-servers.net.
I don't see "root" in there anywhere. What I see is ".".
http://www.google.com./ works fine for me. ;-)
--
On Wed, 12 Sep 2012, David Conrad wrote:
> If I'm interpreting this correctly (i.e., "CNAME at zone apex"),
Yes. One of the common things people do is to configure their nameservers
with that very CNAME. Why should they go to that trouble (to do it wrong,
at that), why can't the delegator just do
efinition of "ok" than many of us; and by the time the question gets put
to us, the querant's definition of "ok" is lost (particularly what they
want or don't want done).
Also following from lemmas 1 and 2: The registries could obviate the
need for most of this charade b
ught it was too silly to mention. But
seeing the cast of actors I thought I'd toss my hat in the ring.
--
Fred Morris, internet plumber
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listi
on in most
people's brains: they just cannot accept that the internet is run by
corporations, by other corporations, for corporations.
We won't get rational thinking concerning social impacts at level nine of
the OSI model until people accept this... IMO.
--
Fred Morris
___
70 matches
Mail list logo
