Re: [dns-operations] DNS Attack over UDP fragmentation

-Original Message- From: Dan York Date: Wednesday, September 4, 2013 11:03 AM To: Ondřej Surý , DNS Operations Subject: Re: [dns-operations] DNS Attack over UDP fragmentation >Ondrej, > >On 9/4/13 9:08 AM, "Ondřej Surý" wrote: > >>We gave it some thoughts here at CZ.NIC Labs and we thi

Re: [dns-operations] Implementation of negative trust anchors?

-Original Message- From: Ondřej Surý Date: Wednesday, September 4, 2013 10:37 AM To: "wbr...@e1b.org" Cc: "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] Implementation of negative trust anchors? >On 22. 8. 2013, at 21:59, wbr...@e1b.org wrote: >> Our browsers give us the o

Re: [dns-operations] Implementation of negative trust anchors?

-Original Message- From: "ondrej.s...@nic.cz" Date: Wednesday, September 4, 2013 12:37 PM To: "dns-operations@lists.dns-oarc.net" Subject: Re: [dns-operations] Implementation of negative trust anchors? >>When the two seem to conflict, better education is the answer not >> removing one's

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

-Original Message- From: Chris Boyd Date: Wednesday, October 16, 2013 10:06 AM To: "dns-operati...@mail.dns-oarc.net Operations" Subject: Re: [dns-operations] Should medium-sized companies run their own recursive resolver? > >On Oct 16, 2013, at 2:24 AM, Warren Kumari wrote: > >> Co

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

-Original Message- From: Jared Mauch Date: Wednesday, October 16, 2013 3:59 AM To: Vernon Schryver Cc: "dns-operati...@mail.dns-oarc.net" Subject: Re: [dns-operations] Should medium-sized companies run their own recursive resolver? > >On Oct 15, 2013, at 7:28 PM, Vernon Schryver w

Re: [dns-operations] cache sizes/tuning

-Original Message- From: Jim Reid Date: Thursday, November 7, 2013 3:49 PM To: Joe Abley Cc: DNS Operations Subject: [dns-operations] cache sizes/tuning >On 7 Nov 2013, at 20:08, Joe Abley wrote: > >> But if that's what happens, it certainly helps explain the oft-shouted >>guidance "TU

Re: [dns-operations] It's begun...

-Original Message- From: Chris Thompson Reply-To: "c...@cam.ac.uk" Date: Thursday, November 14, 2013 10:13 AM To: DNS Operations list Subject: Re: [dns-operations] It's begun... >On Nov 7 2013, Paul Hoffman wrote: > >>Now with non-IDN strings: >> camera >> clothing >> equ

Re: [dns-operations] BIND performance difference between RHEL 6.4 and FreeBSD 7

-Original Message- From: Doug Barton Date: Wednesday, April 23, 2014 at 5:14 PM To: "dns-operations@lists.dns-oarc.net" Subject: Re: [dns-operations] BIND performance difference between RHEL 6.4 and FreeBSD 7 >On 04/23/2014 01:14 PM, Robert Edmonds wrote: >> Doug Barton wrote: >>> What's

Re: [dns-operations] about the underline in hostname

-Original Message- From: Mark Andrews Date: Friday, May 30, 2014 at 6:45 AM To: Randy Bush Cc: dns-operations Subject: Re: [dns-operations] about the underline in hostname > >In message , Randy Bush writes: >> > we can't righteously complain about middleboxes that think they know >> > w

Re: [dns-operations] about DNS attack

-Original Message- From: Roland Dobbins Date: Friday, May 30, 2014 at 4:44 AM To: DNS Operations Subject: Re: [dns-operations] about DNS attack > >On May 30, 2014, at 3:36 PM, Roland Dobbins wrote: > >> > >btw, there's a little bit of Arbor p

Re: [dns-operations] about the underline in hostname

-Original Message- From: Tony Finch Date: Tuesday, June 3, 2014 at 5:32 AM To: "wbr...@e1b.org" Cc: "dns-operations@lists.dns-oarc.net" Subject: Re: [dns-operations] about the underline in hostname >wbr...@e1b.org wrote: >> >> Interesting reading. I bet Site 1 was quite popular: >> >>

Re: [dns-operations] different dns servers for different domains.

I wouldn't do that just with resolv.conf, though maybe someone has such magic. :-) In the past I've used a combination of tools with resolv.conf... for example, you could configure views with different forwarders if you control the remote name servers already in resolv.conf, or BIND/dnscache/sim

Re: [dns-operations] ShellShock exploit through the DNS

-Original Message- From: Jim Reid Date: Tuesday, October 14, 2014 at 1:53 PM To: Paul Vixie Cc: "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] ShellShock exploit through the DNS >On 14 Oct 2014, at 12:46, P Vixie wrote: > >>> As "/bin/sh" is almost always a symlink to "/bi

Re: [dns-operations] Logging dns record changes

-Original Message- From: "Ayca Taskin (Garanti Teknoloji)" Date: Friday, November 14, 2014 at 10:07 AM To: "dns-operati...@dns-oarc.net" Subject: [dns-operations] Logging dns record changes > >Hello All, > >We need to log DNS record changes, is there any logging option to do this >on

Re: [dns-operations] Firewall defaults and EDNS

This is a resource I've used to fix issues for BIND servers behind PIX and ASA's: http://www.cisco.com/web/about/security/intelligence/dnssec.html You are right, after much discussion over the years (as an outsider and insider) newer versions of Cisco defaults have gotten better. If there are sp

Re: [dns-operations] DNS measurement standards

I've used dnsperf in the past. Liked the company's reputation, the design of the tool, and the ease of getting visual output. I haven't used the others, so none of this is to say these things aren't also true about them...just what I liked about dnsperf. The queryfile format makes a lot of se

Re: [dns-operations] Fwd: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs

Another case of the cure being worse (or at least as bad) as the ailment. All too common these days. I've always avoided "public DNS" -- partially for tinfoil hat reasons, but also because in comparison tests there was always more latency to google (or whatever outside resource) than my ISP's infr

Re: [dns-operations] knot-dns

I hesitate to get involved in a holy war...but really huge +1 to this. You have diversity, in a managed way. It's not a silver bullet -- but just like there have been times it made things worse, there have been times when it made things better (buffer overflows that worked on one architecture but

Re: [dns-operations] Stunning security discovery: AXFR may leak information

-Original Message- From: Paul Wouters Date: Tuesday, April 14, 2015 at 10:20 AM To: Mark Jeftovic Cc: "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] Stunning security discovery: AXFR may leak information >On Tue, 14 Apr 2015, Mark Jeftovic wrote: > >> Joke all you want. Thi

Re: [dns-operations] Stunning security discovery: AXFR may leak information

-Original Message- From: Marjorie Date: Tuesday, April 14, 2015 at 2:47 PM To: Samson Oduor , Jelte Jansen Cc: Paul Wouters , "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] Stunning security discovery: AXFR may leakinformation >This is an interesting discussion actu

Re: [dns-operations] Stunning security discovery: AXFR may leak information

-Original Message- From: Mark Andrews Date: Tuesday, April 14, 2015 at 3:57 PM To: Edward Lewis Cc: "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] Stunning security discovery: AXFR may leakinformation >Basically all blocking axfr does is give you a false sense of >secur

Re: [dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?)

-Original Message- From: Doug Barton Date: Friday, April 17, 2015 at 7:09 PM To: "dns-operati...@dns-oarc.net" Subject: [dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?) >On 4/17/15 3:53 PM, Roland Dobbins wrote: >> >> On 18 Apr 2015, at 5

Re: [dns-operations] about anti-ddos DNS hostings

On 6/11/15, 9:45 AM, "Kumar Ashutosh" wrote: >@Kevin >See if this interests you >http://azure.microsoft.com/en-us/services/dns/ Or http://aws.amazon.com/route53/ I don't work for amazon, but have used route53 as a cheaper alternative to Akamai. Note neither of these are marketed as anti-DDoS

Re: [dns-operations] The root zone at past 1000.

On 7/13/15, 10:10 AM, "dns-operations on behalf of Warren Kumari" wrote: >On Mon, Jul 13, 2015 at 3:01 PM, Shane Kerr >wrote: >> William, >> >> On Wed, 8 Jul 2015 14:07:20 -0400 (EDT) >> William Sotomayor wrote: >> >>> >>> Well we've had December 2012 come and go, and now we're at 1003 entries

Re: [dns-operations] email address in SOA

-Original Message- From: Chris Thompson Reply-To: "c...@cam.ac.uk" Date: Monday, December 10, 2012 9:40 AM To: Joe Abley Cc: DNS Operations List Subject: Re: [dns-operations] email address in SOA >On Dec 6 2012, Joe Abley wrote, in re the SOA.rname field: > >>It's used for >> >>(a) le

Re: [dns-operations] what nameserver software have you been using?

-Original Message- From: Feng He Date: Friday, December 14, 2012 10:17 AM To: "dns-operations@lists.dns-oarc.net" Subject: [dns-operations] what nameserver software have you been using? >It seems there are many DNS gurus here. >I am just curious what nameservers software have you been u

Re: [dns-operations] note for the peanut gallery Re: underline in TXT's host

-Original Message- From: Feng He Date: Monday, December 17, 2012 3:31 AM To: "dns-operations@lists.dns-oarc.net" Subject: Re: [dns-operations] note for the peanut gallery Re: underline in TXT's host >于 2012-12-15 2:37, Fred Morris 写道: >> So therefore let me state that I suggest that the

Re: [dns-operations] 回复: Re: All requests are logged by BIND?

Well if you believe Google, you're comparing Quincy Public Schools and Portland Public Schools, which have different lunch menus, job openings, etc. Sorry, needed to lighten up my day a bit... 8^P Queries Per Second vs Packets Per Second...obviously PPS should be much larger. You should be able

Re: [dns-operations] All requests are logged by BIND?

-Original Message- From: Joe Abley Date: Monday, January 28, 2013 11:02 AM To: Mike Hoskins Cc: "dns-operations@lists.dns-oarc.net" Subject: Re: [dns-operations] All requests are logged by BIND? > >On 2013-01-25, at 15:05, Mike Hoskins (michoski) >wrote: >

Re: [dns-operations] CloudShield advices against dDoS

-Original Message- From: Joe Abley Date: Wednesday, February 20, 2013 12:03 PM To: Stephane Bortzmeyer Cc: DNS Operations List Subject: Re: [dns-operations] CloudShield advices against dDoS > >On 2013-02-20, at 12:46, Stephane Bortzmeyer wrote: > >> http://www.cloudshield.com/applicat

Re: [dns-operations] Fighting the Open Recursive Nameserver or not?

-Original Message- From: Stephane Bortzmeyer Organization: NIC France Date: Friday, March 29, 2013 3:50 AM To: "dns-operations@lists.dns-oarc.net" Subject: [dns-operations] Fighting the Open Recursive Nameserver or not? >I thought that everyone was convinced of the need to close ORN (RFC

Re: [dns-operations] DNS Issue

-Original Message- From: , Roland Date: Friday, April 26, 2013 8:33 AM To: "dns-operations@lists.dns-oarc.net List" Subject: Re: [dns-operations] DNS Issue > >On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote: > >> Also can someone explain why tcp53 should be allowed o

Re: [dns-operations] DNS Issue

-Original Message- From: "Michele Neylon :: Blacknight" Date: Wednesday, May 1, 2013 8:21 AM To: Lutz Donnerhacke Cc: "" Subject: Re: [dns-operations] DNS Issue >We've seen large companies' sysadmins being adamant that their firewall >setup was correct and that we didn't know DNS .. ..

Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

-Original Message- From: Vernon Schryver Date: Thursday, May 16, 2013 11:30 AM To: "dns-operati...@mail.dns-oarc.net" Subject: Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch >That is mistaken. We are talking about testing for (and perhaps >mitigating) attack packets. A "positive" fo