Yes.
I'm just logging them for now, found in web logs while verifying something else
- so many side quests
Sent via RFC1925 compliant device
> On Feb 28, 2025, at 12:36 PM, John Levine wrote:
>
> It appears that Jared Mauch said:
>>
>> I was working on somethin
ags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;rr2---sn-oguelnsz.googlevideo.com. IN A
;; ADDITIONAL SECTION:
;; OPT PSEUDOSECTION
; EDNS: version: 0, flags: ; udp: 2048
--
Jared Mauch | pgp key available via finger from ja...@puck.nether.net
cl
welcome.
https://github.com/jaredmauch/pdig-dns-tool
it will chase CNAMEs as well and example output is on the page.
- Jared
--
Jared Mauch | pgp key available via finger from ja...@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only
YuKXuvdThQ==
;; Received 346 bytes from 199.33.233.1#53(d.ns.gov) in 3 ms
;; Received 73 bytes from 198.246.125.10#53(ns3.cdc.gov) in 27 ms
This does obviously point to where the issue is, there is a right way to
do the CNAME etc, if nobody resolves it soon I'll try to push it
through
> On Mar 3, 2024, at 12:26 PM, Fred Morris wrote:
>
> Speaking to the message not the (ChetGPT) "massage"...
>
> On Sun, 3 Mar 2024, Turritopsis Dohrnii Teo En Ming wrote:
>> [...]
>> I define most popular as the largest number of DNS server installed
>> throughout the whole world.
>
> I thi
More of a routing thing than DNS - but this type of view from the outside in is
really helpful to detect by providers feeding RIPE RIS or route views so there
are better external views into networks.
This is an area where I want to expand and improve coverage after things like
the silent and h
Often folks will use TXT with a low TTL and use a specific label path to
perform this function.
Sent via RFC1925 compliant device
> On Jun 15, 2023, at 4:22 PM, Fred Morris wrote:
>
> Hello,
>
> I'm using DNS to retrieve some distributed telemetry data from multiple
> servers. To facilitate
from what source IP?
> On Feb 3, 2020, at 3:02 PM, SM wrote:
>
> Hello,
>
> c.root-servers.net (2001:500:2::c) is not responding to queries over IPv6 [1].
>
> Regards,
> -sm
>
> 1. The error from DNSViz is "arpa zone: The server(s) were not responsive to
> queries over UDP. (2001:500:2::c)"
While I would not recommend this generally there are a few of us that operate
free secondary services that are dual stacked. Make sure one NS is dual stacked
and you are likely fine.
Sent from my iCar
> On Dec 31, 2019, at 4:47 AM, Shane Kerr wrote:
>
> Stephane and all,
>
>> On 30/12/2019
> On Nov 27, 2019, at 5:26 PM, Florian Weimer wrote:
>
> What's the change rate for the root zone? If there is a full
> transition of the name server addresses for a zone, how long does it
> typically take from the first change to the completion of the sequence
> of changes?
There are regula
> On Oct 16, 2019, at 7:41 AM, Paul Vixie wrote:
>
> hurricane and cogent are also businesses, each having employees and investors
> and customers. they are each doing what makes sense to them. this is not a
> "peering war" by any stretch of the vocabulary. cogent does not have a
> complete
On Thu, Oct 10, 2019 at 01:56:11PM -0700, Randy Bush wrote:
> >> Neither Cogent or HE buy transit from anybody else
>
> i believe this statement to be false
i know of at least 2 transit providers..
- jared
--
Jared Mauch | pgp key available via
t;
> >
> >_______
> >dns-operations mailing list
> >dns-operations@lists.dns-oarc.net
> >https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >dns-jobs mailing list
> >https://lists.dns-oarc.net/mailman/listinf
> On Mar 9, 2015, at 10:54 AM, Tony Finch wrote:
>
> D. J. Bernstein wrote:
>
>> My "qmail" software is very widely deployed (on roughly 1 million SMTP
>> server IP addresses) and, by default, relies upon ANY queries in a way
>> that is guaranteed to work by the mandatory DNS standards.
>
> T
> On Mar 6, 2015, at 11:02 AM, Olafur Gudmundsson wrote:
>
>>
>> On Mar 6, 2015, at 10:48 AM, Casey Deccio wrote:
>>
>> On Fri, Mar 6, 2015 at 10:05 AM, Olafur Gudmundsson wrote:
>>
>> We will be depreciating support for ANY queries and return NOTIMP in the
>> near future
>> https://blog.
Sadly, there are devices such as the most recent Netgear routers and firmware
that block TCP queries as well in the most horrific way, e.g.:
https://www.cloudshark.org/captures/273da18d3057
- Jared
> On Jan 28, 2015, at 3:45 PM, Warren Kumari wrote:
>
> On Wed, Jan 28, 2015 at 2:28 PM, Fred
> On Nov 27, 2014, at 9:27 AM, bert hubert wrote:
>
> On Wed, Nov 26, 2014 at 12:37:57PM -0500, Jared Mauch wrote:
>> Is there some specific configuration magic that I’m missing to make bind
>> listen to TCPv6 sockets?
>
> I do realize that in many places DNS a
> On Nov 26, 2014, at 8:25 PM, Mark Andrews wrote:
>
> There are some OS where named can't enumerate the IPv6 interfaces
> usually due to stupid OS hacks which means the listen-on-v6 ACL
> above has nothing to match against. What was wrong with providing
> this information via the socket interf
If someone wanted to dispose of that volume of requests they could get
assistance if they asked the right people.
Jared Mauch
> On Nov 26, 2014, at 7:12 PM, Robert Edmonds wrote:
>
> Warren Kumari wrote:
>> This thingie has many aspects that look a bunch like AS112 -- I'
> On Nov 26, 2014, at 3:48 PM, Niall O'Reilly wrote:
>
> At Wed, 26 Nov 2014 12:37:57 -0500,
> Jared Mauch wrote:
>>
>> Is there some specific configuration magic that I’m missing to make
>> bind listen to TCPv6 sockets?
>
> [...]
>
>> My
> On Nov 26, 2014, at 10:13 AM, Paul Wouters wrote:
>
> http://tools.ietf.org/html/rfc6598 defines 100.64.0.0/10
>
> Packets with Shared Address Space source or destination addresses
> MUST NOT be forwarded across Service Provider boundaries. Service
> Providers MUST filter such packets
Is there some specific configuration magic that I’m missing to make bind listen
to TCPv6 sockets?
Looking at what it’s doing via lsof it seems to not be listening to v6/tcp:
named 909 named 20u IPv4 24571 0t0 TCP
204.42.254.5:domain (LISTEN)
named 909 named 21
We have such an IP address in our backbone but don't publish it. I suppose
someone could ask for an allocation for this purpose from a local RIR and this
could be done for that whole range.
Jared Mauch
> On Nov 26, 2014, at 9:25 AM, Stephane Bortzmeyer wrote:
>
> I'm tr
> On Oct 11, 2014, at 5:00 PM, Davey Song wrote:
>
> IPv6 MTU is specified larger than IPv4. But the implementation like firewall
> or other mid-box may not follow the specification. It needs test in
> large-scaled network.
>
I am completely in favor of breaking people who are not standard
> On Oct 10, 2014, at 2:54 PM, Hugo Salgado wrote:
>
>
> On 10/10/2014 03:24 PM, Roland Dobbins wrote:
>>
>> On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi
>> wrote:
>>
>>> The appliance vendor, Google, tells me that edns0 opt code 20732 must be
>>> "the service name", whatever that means
folk, and have huge respect for
> them - they did, IMO, a good job.
The really fun part (for me) is that depending on the OS you can ping
127.0.53.53. (eg: Linux, Yes, MacOS, No). Linux will also give you
Connection refused for TCP connections.
- Jared
--
Jared Mauch
i have been playing with what i call my 'fast dns query' tool for just over a
year but recently made it more user-friendly (not by much).
This lets you drop in a list of (IPv4) addresses and send out the same DNS
query to all of them and post-process the results.
Is this something the community
On Jul 2, 2014, at 9:56 AM, Stefan wrote:
> Hello, DNS gurus,
>
> Does anybody have a good set of tcpdump/tshark capture filters, associated
> with DNS, already prep-ed for specific fields in the payload (so beyond just
> the simplistic udp 53 or tcp 53)?
>
I've used the perl Net::DNS modu
On Jun 24, 2014, at 4:29 PM, Matthew Ghali wrote:
> Hi PHB- I'm curious when this scheme would be simpler to implement or less
> expensive to operate as opposed to using a delegated internal subdomain of an
> existing parent domain registration (see corp.verio.net modulo the
> psychopathic NS
On Jun 24, 2014, at 12:53 PM, Phil Regnauld wrote:
> Jared Mauch (jared) writes:
>>
>> On Jun 24, 2014, at 9:01 AM, Kelly Setzer wrote:
>>
>>> * Most respondents agreed that a registered domain for internal DNS was
>>> the way to go.
>>
>&g
On Jun 24, 2014, at 9:01 AM, Kelly Setzer wrote:
> * Most respondents agreed that a registered domain for internal DNS was
> the way to go.
Beware the mistakes of others as well, check out 'corp.verio.net' as an example
of a poorly operated sub-domain.
- Jared
On May 20, 2014, at 7:13 AM, cgielen+dnso...@gielen.name wrote:
> DNSSEC-validation fails for 172.in-addr.arpa . This causes reverse DNS
> lookups to fail for all IPv4-address starting with 172.
>
> http://dnsviz.net/d/16.172.in-addr.arpa
Is this perhaps related to AS112 project as well or 172.
On Thu, May 15, 2014 at 03:12:07PM +, Evan Hunt wrote:
> On Thu, May 15, 2014 at 07:12:53AM -0400, Jared Mauch wrote:
> > I heard they are skipping number 11, the next release would be 9.12.
>
> It's on our roadmap as 9.11.
Apparently i misheard.
- Jared
--
Ja
On May 15, 2014, at 3:55 AM, João Damas wrote:
> If it is 9.11, it might be good number to make attack resilience the focus of
> that version (a good code audit, more robust error-condition response,
> evolution of RRL and related features, logging that doesn't kill you, etc)
I heard they are
On May 14, 2014, at 3:22 AM, Jim Reid wrote:
> On 13 May 2014, at 22:51, Andrew Sullivan wrote:
>
>> "Check every name using your nameservers at the parent side for glue before
>> renumbering".
>
> If only it was that simple Andrew. :-)
>
> A delegation in TLD1 might point at a name in TLD2
FYI: I think you mean ISI.edu vs ISC.edu :)
fixed url:
> http://www.ISI.edu/~johnh/PAPERS/Zhu14a/
- Jared
On May 11, 2014, at 4:42 AM, Paul Vixie wrote:
> i'll answer john heidemann's paper (http://www.isc.edu/~johnh/PAPERS/Zhu14a/)
> separately, but my prior related remarks are already onl
FreeBSD lacks many tools, packaging and automation that other distributions
provide natively. As the OP is running RHEL, I suspect they may be constrained
into that box by either policy or something else locally.
FreeBSD has many caveats that make it difficult to deploy, including lack of
hard
Or happy eyeballs compensates which doesn't exist in v4. :-)
Either way, because the DNS applications and protocol accounts for this case,
there is nothing to see here.
Jared Mauch
> On Apr 1, 2014, at 12:08 AM, "Patrick W. Gilmore" wrote:
>
> If a v4 bifurcation
On Mar 31, 2014, at 5:08 PM, Mark Andrews wrote:
>> Yes.
>>
>> I posted the output for networks which cannot reach
>> c.root-servers.net over IPv6.
>
> Basically anyone using Hurricane Electric.
This is well known that Cogent (nee c.psi.net <-> c.root-servers) is not
connected to Hurricane
FYI:
https://kb.isc.org/article/AA-01078
On Dec 17, 2013, at 9:00 PM, Jared Mauch wrote:
> Anyone seen this crash:?
>
> I’m hitting it fairly often right now and trying to poke at the code for
> triage:
>
___
dns-operations m
Turning off dnssec and validation fixed it for me.
- Jared
> On Dec 17, 2013, at 9:00 PM, Jared Mauch wrote:
>
> Anyone seen this crash:?
>
> I’m hitting it fairly often right now and trying to poke at the code for
> triage:
>
> 17-Dec-2013 20:56:03.138 general: na
Anyone seen this crash:?
I’m hitting it fairly often right now and trying to poke at the code for triage:
17-Dec-2013 20:56:03.138 general: name.c:1727: INSIST(offset <= length) failed,
back trace
17-Dec-2013 20:56:03.138 general: #0 0x43140d in ??
17-Dec-2013 20:56:03.138 general: #1 0x7622
On Oct 22, 2013, at 7:42 AM, Daniel Kalchev wrote:
> I for one, do not believe DNSSEC is any difficult. I have turned DNSSEC
> wherever I can. It has become easier and easier in the past few years to the
> point I would call deploying DNSSEC today trivial. I have therefore changed
> my stance
On Oct 17, 2013, at 4:09 AM, Daniel Kalchev wrote:
>
> On 17.10.13 00:12, Jared Mauch wrote:
>> Even small networks (I have a friend with a ~100 user wisp) shouldn't run
>> their own caches. The economics of it don't support this.
>>
>
> Care to elabo
On Oct 16, 2013, at 6:39 PM, Vernon Schryver wrote:
>> From: Jared Mauch
>
>> Understanding how this works is not networking or DNS 101. Limiting
>> the scope with TTL isn't that easy.
>>
>> Can you point someone at docs for how to do that in a poi
> On Oct 16, 2013, at 4:58 PM, Paul Ferguson wrote:
>
>
>
> I have no problem with that as long as they are not open resolvers -- we
> already have somewhere in the neighborhood of 28-30 million of them that
> pose a direct threat to the health & wellbeing of the Internet at-large
> because t
Understanding how this works is not networking or DNS 101. Limiting the scope
with TTL isn't that easy.
Can you point someone at docs for how to do that in a point and click fashion?
> On Oct 16, 2013, at 11:03 AM, Vernon Schryver wrote:
>
> There is a trivial and easy way to keep a recursive
Yes, configuring bind is harder than it seems. Same for routers. :-)
> On Oct 16, 2013, at 10:58 AM, "Mike Hoskins (michoski)"
> wrote:
>
>
> I get your point, but also disagree with the subset of folks who maintain
> DNS is so hard... Really? You can install, configure and keep an AD
> fore
Comcast doesn't give me broken name servers to use, there is no cognitive
dissonance here :-)
You are a DNS expert. Most end users when DNS fails think everything has
failed, including the network.
I type URLs into my browser. Do you know how many people type google into the
google search box?
On Oct 15, 2013, at 7:28 PM, Vernon Schryver wrote:
>> Folks like Comcast have large validating resolvers. Their customers should
>> use them. Folks here are surely going to do the right thing the majority of
>> the time. The vast majority of others are going to set things up once and
>> i
On Oct 15, 2013, at 4:58 PM, Paul Hoffman wrote:
> On Oct 15, 2013, at 1:36 PM, Jared Mauch wrote:
>
>> On Oct 15, 2013, at 2:12 AM, Peter Koch wrote:
>>
>>> sure. Yet another instance of "the DNS people have said ...". Come on.
>>
>> This i
On Oct 15, 2013, at 2:12 AM, Peter Koch wrote:
> sure. Yet another instance of "the DNS people have said ...". Come on.
This is akin to asking the founding member of the local mercedes car club what
sort of car you should get. :)
Is there something wrong with this?
- Jared
__
I'll say no. They don't have resources to deal with 98 angry users when DNS
fails. Using OpenDNS or the ISP is likely the best choice. Most large ISP dns
servers are good.
Jared Mauch
> On Oct 14, 2013, at 7:08 PM, Paul Hoffman wrote:
>
> A fictitious 100-person company h
I've reprocessed some data on the OpenResovlerProject and wanted to share some
results.
1) I stopped filtering on if the #answers was >0 on the query to determine the
"alternate ip" in the data.
This filter was originally in-place because I thought DNS implementations were
"sane/good". They a
On Sep 13, 2013, at 5:58 PM, Paul Vixie wrote:
>> Although i think it is valid to argue that DNS TCP requires 3x RTTs if
>> you want to count the original question over UDP + the TC=1 response.
>> But I don't think that's what you are saying in the article. Am I
>> interpreting it wrong?
>
> i
On Aug 22, 2013, at 3:59 PM, wbr...@e1b.org wrote:
> Running the DNS for 100+ school districts and 400,000+ devices, I really,
> REALLY don't want to be the one saying "Sorry, you can't use the site
> called for in your lesson plan today because they messed up the DNSSEC
> records." Managemen
BTW, The goal of OpenResolverProject was to have an inventory so folks could
measure against attacks and determine what % of attacks utilized them.
The list is available in weekly format to security teams to download in bulk so
they can use tools like GrepCidr to perform this cross-reference.
T
On Aug 13, 2013, at 6:47 AM, Ken Peng wrote:
> On 2013-8-13 18:30, Jared Mauch wrote:
>> I'm not sure how accurate this really is, but:
>>
>> http://www.cdnplanet.com/blog/which-cdns-support-edns-client-subnet/
>>
>> Basically, it helps pass the client IP
On Aug 13, 2013, at 1:43 AM, Evan Hunt wrote:
>> Do you mean the BIND views? It has been there for many years.
>> http://www.zytrax.com/books/dns/ch7/view.html
>
> I believe Jared meant this:
>
> http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02
Correct.
I'm not sure how acc
Does anyone know if BIND supports the client-subnet option, or do I need to
seek another recursive resolver for this?
it does seem there are some patches, but I'm not sure if this is something
others have experimented with, e.g.:
http://wilmer.gaa.st/edns-client-subnet/
We operate a large recu
On Jul 30, 2013, at 4:55 PM, Anand Buddhdev wrote:
> BIND is trying to pass on the zone unchanged, but will of course not
> serve any out-of-zone records. Knot will not serve out-of-zone records,
> but will not pass them on either.
>
> What do you all think is the correct behaviour? Or are both
On Jun 27, 2013, at 10:04 PM, Feng He wrote:
> Hi,
>
> Sorry for my not good english.
> Says I have a domain a.com, whose NS records are:
> ns1.b.com
> ns2.b.com
>
> But b.com is not auth-resolved by my nameserver, for example, its
> auth-servers are registrar's.
>
> a.com is auth-resolved b
The openresolver project surveyed version.bind from those resolvers that
respond from port 53 based on the 20130616 dataset.
I know this will be of value to some people in understanding what resolvers may
be reaching their systems.
Here are the results:
http://openresolverproject.org/version.b
While processing some openresolver data (yes, blah blah), I see there are still
folks providing root referrals to old root hints:
119.151.1.94/53///.^IN^NS^C.PSI.NET|.^IN^NS^TERP.UMD.EDU|.^IN^NS^NS.NASA.GOV|.^IN^NS^NS1.ISI.EDU|.^IN^NS^NS.INTERNIC.NET|.^IN^NS^NS.ISC.org|.^IN^NS^NS.NIC.DDN.MIL|.^IN
On Jun 21, 2013, at 2:57 PM, "Lawrence K. Chen, P.Eng." wrote:
> Wonder about all the other people that run their own DNS (and such) on
> campusOne time the physics department was all angry that we (central IT)
> had changed the size of a DNS packet to be larger than 512-bytes on them.
>
On Jun 21, 2013, at 7:24 AM, Mike Jones wrote:
> http://code.kryo.se/iodine/ allows you to set up a full IP(v4) VPN over DNS.
>
> Obviously a VPN type setup with IP packet headers and TCP retransmits etc
> doesn't help performance compared to a program implementing its own data
> channel over
http://www.networksolutions.com/blog/2013/06/important-update-for-network-solutions-customers-experiencing-website-issues/
On Jun 20, 2013, at 5:57 AM, Franck Martin wrote:
> the dot com DNS got corrupted for several domains, you may have still wrong
> entries lingering in your DNS cache. This
Also a reminder that one could use the openresolverproject data set to check
for poisoning or stale information.
Or would folks prefer a portal to that info?
Jared Mauch
On Jun 20, 2013, at 9:29 AM, Vernon Schryver wrote:
>>> "..It seems your nameservers don't agree on th
On Jun 14, 2013, at 1:18 PM, Paul Vixie wrote:
>
>
> Jared Mauch wrote:
>> On Jun 14, 2013, at 11:07 AM, Chip Marshall
>> wrote:
>>
>>
>>> There was some talk at a recent meeting about establishing some
>>> best practices for operating
On Jun 14, 2013, at 11:07 AM, Chip Marshall wrote:
> There was some talk at a recent meeting about establishing some
> best practices for operating a DNS server. I'm curious if anyone
> is running with this, and if not, if this would be a good forum
> to start working on such a project.
>
> I k
On May 23, 2013, at 10:48 AM, Joe Greco wrote:
> That's a geek technical argument. Real world is different.
>
> http://www.circleid.com/posts/811611_david_ritz_court_spam/
This is a civil case not criminal, these are also different beasts.
- jared
On May 23, 2013, at 10:09 AM, Phil Regnauld wrote:
> Jared Mauch (jared) writes:
>>
>> Looking at a.2.C, it could apply to anything a DNS server replies with.
>> Then again, it's a server so meant to be a public item, so I wouldn't be
>> concerned.
>
On May 23, 2013, at 9:53 AM, Jim Reid wrote:
> On 23 May 2013, at 14:39, Vitalie Cherpec wrote:
>
>> I would like to know if querying version.bind is illegal (in
>> some countries)?
>
> Ask a lawyer or policeman in those countries. It's hard to see how such
> largely useless queries could be
On May 23, 2013, at 9:39 AM, Vitalie Cherpec wrote:
> Hi,
>
> I've developed a DNS checking tool (http://www.dnsinspect.com/).
> After 5 years of running it without any issues, I've received today a
> compliant through my ISP from a big company in a foreign country.
>
> They pretend that my V
On May 22, 2013, at 11:51 AM, bert hubert wrote:
> On Wed, May 22, 2013 at 10:16:50AM -0400, Jared Mauch wrote:
>> [without research random musing]
>>
>> I would imagine you could just modify the source to use SOCK_STREAM
>> instead of SOCK_DGRAM unless it uses se
On May 22, 2013, at 10:06 AM, Kareem Ali wrote:
> Hi,
>
> I'm trying to run a DNS TCP performance test to a DNS server in a
> lab environment. I'm doing the test from another server connected
> directly with a 1 Gb link. Both servers are running CentOS 6.4. I use
> dnsperf to run my DNS perform
On May 15, 2013, at 8:40 PM, Jared Mauch wrote:
> I fixed the patch by moving where it does this check to before query_find as
> opposed to inside it.
>
> Thanks for the insight and input.
It looks like some people deployed this patch (or at least downloaded it based
on user
I fixed the patch by moving where it does this check to before query_find as
opposed to inside it.
Thanks for the insight and input.
- Jared
On May 15, 2013, at 8:03 PM, Vernon Schryver wrote:
> I think the patch has a false negative rate of approximately 100%.
> To check whether I am wrong a
On May 15, 2013, at 8:03 PM, Vernon Schryver wrote:
> I think the patch has a false negative rate of approximately 100%.
> To check whether I am wrong again, I set up a test server and tried
> two `dig +ignore isc.org any` commands. The first got a TC=1 error
> response as expected. The second
On May 15, 2013, at 6:52 PM, Vernon Schryver wrote:
>> This effectively does slip=1 and does away with any amplification and just
>> makes it
>> a pure reflection attack. Still not ideal, but doesn't amplify.
>
> On the contrary, as I just now wrote in the ratelimits mailing list
> http://lis
One more comment: This patch only impacts recursive servers, not authorities.
They won't set TC=1 for an ANY query.
- Jared
On May 15, 2013, at 6:03 PM, Jared Mauch wrote:
>
> On May 15, 2013, at 5:58 PM, John Kristoff wrote:
>
>> On Wed, 15 May 2013 17:52:11 -0400
&
On May 15, 2013, at 5:58 PM, John Kristoff wrote:
> On Wed, 15 May 2013 17:52:11 -0400
> Jared Mauch wrote:
>
>> If others want, I can look at putting in a config directive. It
>> would be possible to add other RRtypes easily enough that should get
>> TCP only
On May 15, 2013, at 5:09 PM, Matthäus Wander
wrote:
> * Vernon Schryver [2013-05-15 21:40]:
>>> From: Jared Mauch
>>> This is a crude but effective hack. It doesn't stop the system from
>>> recursing to find the response.
>>
>>
>> I c
I thought I'd share this to anyone that wants to just force all TYPE=ANY
queries over TCP to prevent those from coming from spoofed locations.
This is a crude but effective hack. It doesn't stop the system from recursing
to find the response.
http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any
I think many of the problems we saw back in the win95/98 days with stickiness
of DNS records have mostly been resolved. Most software does the right thing
these days.
Jared Mauch
On May 3, 2013, at 6:45 PM, "Simon. Munton"
wrote:
> We were curious about this.
>
> As a q
On Apr 26, 2013, at 8:24 AM, "Cihan SUBASI \(GARANTI TEKNOLOJI\)"
wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
EDNS0
> And why auditors do not like tcp53 open to public?
Because someone told them the wrong thing and they don't
On Apr 16, 2013, at 8:52 AM, Jared Mauch wrote:
>
> On Apr 16, 2013, at 8:21 AM, Jared Mauch wrote:
>
>> Greetings,
>>
>> I took the latest 'Open Resolver' list and queried the hosts another time
>> with a version.bind query.
>>
>&g
The openresolverproject has weekly results from its survey of the ipv4 space,
including response.
It's available for ongoing research and derivative work.
Jared Mauch
On Apr 18, 2013, at 11:28 AM, Joe Abley wrote:
> On 2013-04-18, at 11:24, Kaio Rafael wrote:
>
>> I am
I'm going to automate some graphs 'soon'.
As I mentioned here and elsewhere, the methodology has been tweaked slightly in
the past few weeks and has exposed a few more than the last week.
The last change is happening on 4-21. I'm going to start showing more data,
but my time has been limited d
Vernon,
On Apr 16, 2013, at 11:58 AM, Vernon Schryver wrote:
>> From: Jared Mauch
>
>> Check out the breakdown.html page ...
>
>2013-04-14 results
>
>34030764 servers responded to our udp/53 probe
>914175 servers responded from a different IP than
On Apr 16, 2013, at 10:39 AM, Roy Arends wrote:
> On Apr 16, 2013, at 1:21 PM, Jared Mauch wrote:
>
>> Greetings,
>>
>> I took the latest 'Open Resolver' list and queried the hosts another time
>> with a version.bind query.
>>
On Apr 16, 2013, at 8:58 AM, Stephane Bortzmeyer wrote:
> On Tue, Apr 16, 2013 at 08:52:39AM -0400,
> Jared Mauch wrote
> a message of 36 lines which said:
>
>> Ok, I didn't expect everyone to post this to twitter/facebook so fast :)
>
> Welcome to the Interne
On Apr 16, 2013, at 8:21 AM, Jared Mauch wrote:
> Greetings,
>
> I took the latest 'Open Resolver' list and queried the hosts another time
> with a version.bind query.
>
> You can view the results here:
>
> http://openresolverproject.org/version.bind.report
Greetings,
I took the latest 'Open Resolver' list and queried the hosts another time with
a version.bind query.
You can view the results here:
http://openresolverproject.org/version.bind.report.txt
- jared
___
dns-operations mailing list
dns-operatio
94 matches
Mail list logo
