Re: [dns-operations] latest bind, EDNS & TCP

On Fri, Oct 10, 2014 at 02:53:38PM +0100, Simon Munton wrote a message of 33 lines which said: > Is anyone else seeing this? No, not really. On one server, I see an increase of no-EDNS from Oct. 6th. On the others, I see nothing. For instance, here is the DSC graph for d.nic.fr. ___

[dns-operations] ShellShock exploit through the DNS

Funny: an OS sends the result of some DNS queries to bash, allowing the DNS operator to attack DNS clients with ShellShock: http://packetstormsecurity.com/files/128650 What about an evil AS 112 operator attacking 168.192.in-addr.arpa users? ___ dns-oper

Re: [dns-operations] ShellShock exploit through the DNS

On Tue, Oct 14, 2014 at 09:01:02AM +0100, Simon Munton wrote a message of 38 lines which said: > As "/bin/sh" is almost always a symlink to "/bin/bash", No. It is not the case for FreeBSD, Debian, NetBSD, ArchLinux... > assume this to be the case (i.e. use bash specific features, without >

[dns-operations] IETF working group on DNS privacy

Yes, I know, it is not really operations. But it may have an influence on DNS operations so I prefer the operations people to be aware of it: IETF just created a working group on DNS privacy, named DPRIV :-) The charter of the working group, if you want to know what this group is up to, is

Re: [dns-operations] resolvers considered harmful

On Wed, Oct 22, 2014 at 12:47:39PM -0400, Mark Allman wrote a message of 64 lines which said: > Short paper / crazy idea for your amusement ... The biggest problem I have with this paper is of terminology. I thought at the beginning that the idea was to get rid of resolvers, then it appeared

Re: [dns-operations] resolvers considered harmful

On Wed, Oct 22, 2014 at 11:03:11PM -0400, Mark Allman wrote a message of 110 lines which said: > The paper quantifies this cost for .com. We find that something > like 1% of the records change each week. So, while increasing the > TTL from the current two days to one week certainly sacrifice

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 10:36:37AM -0700, Paul Vixie wrote a message of 24 lines which said: > until you have done this and have results to report, you'd be wise not > to make any claims about this possibility. I run Unbound on my laptop for many years, using ::1 as the only resolver. It work

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 03:29:02PM -0400, Mark Allman wrote a message of 64 lines which said: > Same interface to the applications. But, underneath it doesn't go > query whatever is in /etc/resolv.conf, but rather just walks the > tree itself (to the extent needed, based on the cache). It is

Re: [dns-operations] resolvers considered harmful

On Fri, Oct 24, 2014 at 11:55:03AM +0100, Tony Finch wrote a message of 32 lines which said: > As I understand it the plan is to tell clients about the network's > NAT64/DNS64 configuration so that clients can do their own DNS64 > synthesis, which means the DNSSEC breakage no longer matters.

Re: [dns-operations] Interesting messages in our logs

On Sat, Nov 01, 2014 at 10:10:07AM -0500, Lyle Giese wrote a message of 23 lines which said: > Interesting error messages. Someone was running a host name scan > against a domain hosted here and it looks like they were doing it > via Google DNS. It seems also that RRL started and sent SLIP a

[dns-operations] CVE-request: systemd-resolved DNS cache poisoning

There is everything in systemd, including a (broken) DNS resolver : http://seclists.org/oss-sec/2014/q4/592 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing li

[dns-operations] The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites

CloudFlare claims it is a DNS attack. I thought amplifications attacks using the DNS were old-fashioned, everybody moving to NTP and SNMP? http://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong-sites/ ___

Re: [dns-operations] cache flush request - craigslist.org

On Sun, Nov 23, 2014 at 07:38:40PM -0800, Brad Volz wrote a message of 60 lines which said: > The craigslist account at one of our registrars was compromised and > the NS records migrated away from their rightful home. That issue > has since been corrected, but the various caches around the I

[dns-operations] Looking for a public blackhole/sinkhole IP address

I'm trying to find out if it exists a public IP address which is a black hole, swallowing every packet sent to it. I can do that on my network but I'm wondering if it already exists somewhere, may be as an anycasted service (AS112-style). The idea is to delegate some domain names to unresponsive

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 03:25:47PM +0100, Stephane Bortzmeyer wrote a message of 25 lines which said: > The idea is to delegate some domain names to unresponsive name servers > (deleting the domain name is less efficient, since the negative TTL is > smaller than the delegation TTL).

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 04:33:37PM +0100, Jeroen Massar wrote a message of 15 lines which said: > What about putting those zones/nameservers in DNS RPZ? I don't get it. RPZ is for resolvers. ___ dns-operations mailing list dns-operations@lists.dns-o

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 03:25:47PM +0100, Stephane Bortzmeyer wrote a message of 25 lines which said: > I'm trying to find out if it exists a public IP address which is a > black hole, swallowing every packet sent to it. A possible example is blackhole.webpagetest.org/72.66.1

Re: [dns-operations] Fwd: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs

On Sun, Dec 07, 2014 at 01:17:40PM -0800, Doug Barton wrote a message of 16 lines which said: > FWIW, I get the expected answer from the goog here in California. It seems there is *something* (but I don't know what) for *some* people https://groups.google.com/forum/#!searchin/public-dns-disc

Re: [dns-operations] Fwd: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs

On Mon, Dec 08, 2014 at 09:38:49AM +0100, Stephane Bortzmeyer wrote a message of 24 lines which said: > It seems there is *something* (but I don't know what) for *some* > people An expert suggested on Twitter that it could be an accidental side-effect of blacklisting attack

[dns-operations] DNS Security Advisory (infinite recursion)

On Mon, Dec 08, 2014 at 05:06:09PM +0100, bert hubert wrote a message of 61 lines which said: > Please be aware of PowerDNS Security Advisory 2014-02 Works with other resolvers as well. For Unbound, see For BIND,

Re: [dns-operations] Namecheap Contact?

On Tue, Dec 09, 2014 at 06:50:38PM +0100, Anthony Eden wrote a message of 47 lines which said: > Does anyone have a contact for someone at Namecheap who would be familiar > with the latest DDoS they experienced? I'd like to speak with them and see > if it's the same type of attack we saw, I'm

Re: [dns-operations] Namecheap Contact?

On Tue, Dec 09, 2014 at 06:50:38PM +0100, Anthony Eden wrote a message of 47 lines which said: > Does anyone have a contact for someone at Namecheap who would be familiar > with the latest DDoS they experienced? By the way, it just resumed. % check-soa -ns "dns1.namecheaphosting.com dns2.nam

Re: [dns-operations] DNSimple under attack?

On Tue, Dec 02, 2014 at 02:01:48PM +0800, Ken Peng wrote a message of 8 lines which said: > Their website can't be reachable from my end. And one of my domains with > them can't be resolved. By the way, they published a good technical report: http://blog.dnsimple.com/2014/12/incident-report-

[dns-operations] 1&1 down

For more or less 15 hours (with some remissions). Seems very severe now. Their own domains work but the customer-hosted domains are down: % check-soa -n 5 -t 5 -i -ns "ns-us.1and1-dns.us ns-us.1and1-dns.de ns-us.1and1-dns.org ns-us.1and1-dns.com" edmtrancefm.com ns-us.1and1-dns.com. 2001:

Re: [dns-operations] Etisalat DNS hack

On Thu, Dec 18, 2014 at 12:04:45PM -0500, David C Lawrence wrote a message of 11 lines which said: > http://gulfnews.com/business/technology/domain-name-structure-of-etisalat-poisoned-1.1428889 > > This news report claims it was a cache poisoning, but it also reads > like it could have been h

Re: [dns-operations] What is the exact response?

On Tue, Dec 23, 2014 at 03:52:19PM +0800, scottjiang1...@hotmail.com wrote a message of 284 lines which said: > When the resolver sends the DNSKEY RR query, irrespecitve of > keyrollover period, I think the response message should reply a KSK, > a ZSK No. Nothing in DNSSEC says you must have

[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

https://news.ycombinator.com/item?id=8784210 After the successful attacks against Rackspace, Namecheap, DNSsimple and 1&1, it is clear that dDoS attacks against DNS servers are very common this winter, and they succeed :-( ___ dns-operations mailing li

Re: [dns-operations] issue with m root server from China?

ing-in-china-by-stephane-bortzmeyer https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/003944.html http://arstechnica.com/tech-policy/2010/03/china-censorship-leaks-outside-great-firewall-via-root-server/ ___ dns-operations mailing list dns-oper

[dns-operations] Sharing a DNSSEC key between zones

I'm looking for resources discussing the pros and cons of sharing DNSSEC keys between zones. I find nothing in RFC 6841 or 6781. Any pointer? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dn

Re: [dns-operations] Sharing a DNSSEC key between zones

On Sat, Jan 10, 2015 at 07:46:55PM -0500, Warren Kumari wrote a message of 120 lines which said: > Obligatory marketing message on automating this: > https://tools.ietf.org/html/rfc7344 I would be interested by a Web page / Wiki recording the registries (or, for those who have to use the regi

[dns-operations] DNS training at the NSA

On p. 9 (NSA slides, leaked to the press), the DNS resolution process is strange, as if recursion, instead of iteration, were used by all DNS servers of the world, including the root name servers. Too much haste in using PowerPoint? Ignorance? Deliberat

[dns-operations] The Sichuan pepper attack: turning a DNS censorship system into a dDoS vector

We all know that the chinese network intercepts DNS requests and returns fake answers

[dns-operations] [dns-privacy] Start of WGLC for draft-ietf-dprive-problem-statement - please review.

This work on DNS privacy is now in IETF Working Group Last Call. May be some people from the operations crowd may be interested to review it? If you have remarks to do, you can send them directly to me or use the Github issue system. But, in most cases, it is better to use the IETF system: send an

Re: [dns-operations] Bad IP in glue records (Godaddy)

On Fri, Mar 06, 2015 at 02:01:22PM +0100, Grzegorz Dabrowski wrote a message of 58 lines which said: > I have a problem with bullet prof Godaddy I'm not convinced it is GoDaddy's fault, the host record is controlled by Network Solutions: % whois a.ns.domadd.getresponse.COM ... Server Nam

Re: [dns-operations] Mozilla Firefox and ANY queries

On Fri, Feb 27, 2015 at 12:02:57AM -0500, Sadiq Saif wrote a message of 30 lines which said: > Checking local resolver logs and am seeing a large amount of ANY queries > originating from Firefox, is anybody else seeing such behavior? https://blog.cloudflare.com/deprecating-dns-any-meta-query-

Re: [dns-operations] DNSSEC validation failures for .KE

On Tue, Mar 31, 2015 at 01:37:51PM +0200, Anand Buddhdev wrote a message of 25 lines which said: > Their current DS record points to a key that has the revoke bit set, > but it is no longer signing the DNSKEY rrset. There are other problems: * 10 (!) DNSKEY which seems too many * lame delega

Re: [dns-operations] DNSSEC validation failures for .KE

They published again key 37471, which was removed while still being pointed at by the DS... But with expired signatures! ke. 14348 IN RRSIG DNSKEY 5 1 14400 ( 20140831155438 20140801145438 37471 ke. hZjCZSIT1T2r+U

[dns-operations] Funny DNSSEC problem

The domain juralib.nologs.org does not resolve (SERVFAIL) from Free (2nd ISP in France, uses DNSSEC validation). % dig A juralib.noblogs.org ; <<>> DiG 9.9.2-P2 <<>> A juralib.noblogs.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25509 ;;

[dns-operations] Stunning security discovery: AXFR may leak information

https://www.us-cert.gov/ncas/alerts/TA15-103A http://haxpo.nl/haxpo2015ams/sessions/all-your-hostnames-are-belong-to-us/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 11:28:17AM +, Edward Lewis wrote a message of 126 lines which said: > Newsflash: Water can make you wet. You can also notice that the US CERT, to explain "how AXFR works", links to djb and not to RFC 5936... ___ dns-oper

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 08:29:47AM -0400, Mark Jeftovic wrote a message of 26 lines which said: > This is worse than heartbleed. I won't rely on commercial teasers like I'm waiting for the actual paper to decide if t

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 03:59:10PM +0100, Simon Munton wrote a message of 19 lines which said: > What year is this? 1986? > > Its a shame, cos over-reporting renders an alerts system useless. Ignorance from the US CERT, plus teasing from fame-deprived security researchers. __

[dns-operations] Authoritative name server replies NODATA for a non-existing domain

Strange behavior: % for ns in $(dig +nodnssec +short NS adult.); do echo $ns dig @$ns NS thisdomaincertainlydoesnotexist.adult |& grep status: done d0.nic.adult. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13433 c0.nic.adult. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23111 a0.n

Re: [dns-operations] Authoritative name server replies NODATA for a non-existing domain

On Wed, Apr 22, 2015 at 03:12:24PM +0200, Stephane Bortzmeyer wrote a message of 30 lines which said: > IMHO, all the name servers should reply NXDOMAIN, no? Or could it be a "minimum response", intended to prevent zone enumeration? __

Re: [dns-operations] Authoritative name server replies NODATA for a non-existing domain

On Thu, Apr 23, 2015 at 08:45:01AM +0200, Michał Kępień wrote a message of 14 lines which said: > This is fun - I never expected this bug to be publicly noticed for a > TLD. It's only observable in the time span between wildcard record > removal and the next run of "nsdc patch" on the slave I

[dns-operations] [Security] Glue or not glue?

A new edition of the DNS security guide by ANSSI (French cybersecurity agency) recommends to prefer delegations with glue because glueless delegations "may carry additional risks since they create a dependency". Is there any other "best practices" text which makes such a recommendation? http://www

Re: [dns-operations] DNS issues with .MIL

On Sun, Jun 07, 2015 at 03:48:30PM -0400, Paul Wouters wrote a message of 53 lines which said: > paul@bofh:~$ dig stratcom.mil @CON2.NIPR.mil. Wrong test, only www.stratcom.mil has a A record, stratcom.mil does not. According to DNSDB, this has always been the case. __

Re: [dns-operations] DNS issues with .MIL

On Sun, Jun 07, 2015 at 03:33:09PM -0400, Jim Popovitch wrote a message of 15 lines which said: > Is anyone else seeing DNS issues .MIL today? Specifically with > stratcom.mil? Yes, stratcom.mil has DNS resolution problems. Testing with RIPE Atlas probes, I can see that 30 % of the probes ca

Re: [dns-operations] DNS issues with .MIL

On Sun, Jun 07, 2015 at 11:18:11PM +0200, Jaap Akkerhuis wrote a message of 12 lines which said: > There are also expired sigs etc., see > . And kingfisher1.stratcom.mil reply NXDOMAIN (with aa and ra...) to a request for a domain it is n

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 04:12:03PM +0800, Kevin C. wrote a message of 56 lines which said: > At what case the nameserver returns "NOERROR" or "NXDOMAIN" for a > non-exist record? NOERROR is when there was no error :-) NXDOMAIN means "this name does not exist". They are two completely differen

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 09:49:34AM +0100, Jim Reid wrote a message of 21 lines which said: > A NOERROR response with an empty Answer Section -- usually known as > a NOHOST response Never seen that word. NODATA seems to me much more common. ___ dns-o

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 09:49:34AM +0100, Jim Reid wrote a message of 21 lines which said: > FWIW there's an inconsistency between the two authoritative name > servers for game.yy.com. dwdns1.nsbeta.info returns NOHOST while > dwdns2.nsbeta.info returns NXDOMAIN for lookups of > defensor.game.

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 10:45:34AM +0100, Jim Reid wrote a message of 13 lines which said: > It's dwdns2 that returns NODATA and dwdns1 that returns > NXDOMAIN. Lack of coffee again... % drink coffee % repeat 3 drink coffee % dig @dwdns1.nsbeta.info defensor.game.yy.com | grep NOERROR

Re: [dns-operations] 答复: about answer status

On Mon, Jun 08, 2015 at 08:47:12AM +, 张在峰 wrote a message of 43 lines which said: > I think you can read this article > https://engineering.opendns.com/2014/06/23/nxdomain-nodata-debugging-dns-dual-stacked-hosts/ > and get the answer. Unfortunately, this article starts with a mistake: >

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 11:16:35AM +0100, Jim Reid wrote a message of 25 lines which said: > FWIW at 08:43 UTC today: ... > At 10:04 UTC today: They read the mailing list and fix in real-time :-) ___ dns-operations mailing list dns-operations@lists.

Re: [dns-operations] .MW inconsistent zone updates?

On Thu, Jun 25, 2015 at 10:23:46AM +0200, Gunter Grodotzki wrote a message of 47 lines which said: > I did a domain update last week on cheki.mw, but it seems like some > OPs are either sleeping or their syncing is not really working ;) Inconsistencies are always fun to observe (remember the

Re: [dns-operations] .MW inconsistent zone updates?

On Thu, Jun 25, 2015 at 11:12:40AM +0200, Gunter Grodotzki wrote a message of 78 lines which said: > But shouldn't that raise a big red flag - even if it is not your > fault? DNS operator hat _on_. At $DAYJOB, we both have secondaries for other domains, and domains for which we use outside se

Re: [dns-operations] sibling glue

On Tue, Jun 23, 2015 at 02:18:59PM -0300, Joe Abley wrote a message of 119 lines which said: > The EPP data model includes host objects and domain objects. Every > domain is linked to one or more host objects (two or more in > practice, for policy reasons orthogonal to the data model). But ha

Re: [dns-operations] The root zone at past 1000.

On Mon, Jul 13, 2015 at 01:01:36PM +, Shane Kerr wrote a message of 23 lines which said: > I look forward to reviewing the next DITL captures and seeing how > much this has improved the lives of everyday Internet users! ;) I feel much better now that we have .pizza, .black and .cafe. ___

[dns-operations] An interesting attack against the SOA MNAME of some TLDs

It appears some TLDs have a MNAME (primary server) field in the SOA record which does not exist *and* is in a registrable SLD. A bad guy can buy the SLD and then receive the traffic aimed to the MNAME. This is mostly Dynamic Update traffic for Windows machines. If you like big data, you will get a

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

On Thu, Oct 10, 2019 at 04:39:19PM +0200, Warren Kumari wrote a message of 64 lines which said: > The lack of peering with a network doesn't prevent my accessing them, This is true for the IPv4 Internet, where there is always another route, but the IPv6 Internet is not so well connected, and

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

On Thu, Oct 10, 2019 at 04:36:32PM -0400, Adam Vallee wrote a message of 114 lines which said: > DoH and DoT have only become a thing since GDPR. Why is no one > saying anything? Are you serious? A lot of electrons are moved around DoH. Many articles (most of them wrong). You certainly cannot

Re: [dns-operations] s3.amazonaws.com problem?

On Wed, Oct 23, 2019 at 11:34:57AM +0100, Greg Choules via dns-operations wrote a message of 136 lines which said: > It appears that Amazon are blocking queries of type CNAME. Not for me. % dig @ns-27.awsdns-03.com. CNAME mycloudydatadffgdfssdf.s3.amazonaws.com. ; <<>> DiG 9.11.5-P4-5.1-Deb

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Nov 27, 2019 at 10:38:32AM -0500, Keith Mitchell wrote a message of 37 lines which said: > On garbage-collecting crap traffic, it's worth looking at AS112. There have been a proposal at IETF to use AS112 as a sinkhole for "special" TLDs such as .local or .home, which are responsible f

Re: [dns-operations] root? we don't need no stinkin' root!

On Mon, Dec 02, 2019 at 10:17:30AM -0500, Mark Allman wrote a message of 36 lines which said: > Obviously, there could be a more comprehensive analysis, but I think > that gives some idea about how stable the root zone file is in > practice. IMHO, this is by far the biggest issue with your pr

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Dec 11, 2019 at 01:20:13PM +, Jim Reid wrote a message of 22 lines which said: > In principle, they could all change at once, In reality, they > don’t. When making a change of this nature, established wisdom is to > change half of the NS records (or their glue), wait a few days to

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Dec 11, 2019 at 03:51:14PM +, Livingood, Jason wrote a message of 7 lines which said: > Seems like the answer then is to have the resolver check for updates > more frequently. The file is tiny and so this is not in the least > going to be resource-intensive. Just check every XX min

Re: [dns-operations] IPv6 only for nameservers

On Mon, Dec 30, 2019 at 05:18:01PM +0300, Anand Buddhdev wrote a message of 17 lines which said: > If your domain's authoritative name servers have only IPv6 > addresses, then your domain will not be resolvable by many resolvers > on the Internet, because many of them only have IPv4 connectivi

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 08:56:41AM +0800, William C wrote a message of 59 lines which said: > Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9 > etc) can't resolve this domain? As explained by several experts, this domain is DNSSEC-broken. This has nothing to to with t

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 07:05:04PM +0800, William C wrote a message of 15 lines which said: > 1. how to check if a zone has a valid DNSSEC key? If you are not a DNSSEC expert, DNSviz is a handy tool > 2. how to validate if the zone has been signed with correct key? DNS

[dns-operations] DNS of Turk Telekom

Anyone has more detailed concrete information about this "DNS attack"? https://www.itnews.com.au/news/turk-telekom-says-internet-access-restored-after-cyber-attack-536767 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns

[dns-operations] Algorithm but no signature in .in?

Some resolvers protest on .in. It seems they have a RSASHA256 key but no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There MUST be an RRSIG for each RRset using at least one DNSKEY of EACH ALGORITHM". (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.) _

Re: [dns-operations] question on query to DNS server's IPv6 interface

On Tue, Mar 31, 2020 at 08:37:30PM +0800, Tessa Plum wrote a message of 13 lines which said: > Another question, in DNS server, how to count how many queries were > from IPv6 interface, and how many queries were from IPv4 interface? It depends on the name server. Here, is an example with nsd:

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 10:14:14AM +0800, Tessa Plum wrote a message of 14 lines which said: > May I ask if there are any solutions for DDoS mitigation of DNS? All solutions that were mentioned here are correct but incomplete: there is no general solution against dDoS, because "it depends". T

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Wed, Apr 01, 2020 at 07:35:35PM -0700, Fred Morris wrote a message of 10 lines which said: > Depends on what you mean. You might look at "response rate limiting" in for > instance BIND. -- FWM RRL protects people against you (when your name server is used as a reflector) but not really you

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 03:06:49AM +, Paul Vixie wrote a message of 29 lines which said: > to keep your own recursive servers from amplifying spoofed-source > attacks, you need ACL's that make it unreachable outside your > specific client base. ACLs in the server are not enough, you also

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 11:51:05AM +0800, Tessa Plum wrote a message of 37 lines which said: > We were under some attack like UDP flood to the authority servers, DNS or another type? > The traffic size was about 20Gbps Note that for DNS traffic, the useful metric is often packets-per-second

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 05:12:29PM +0800, Tessa Plum wrote a message of 11 lines which said: > All the packages were DNS requests, some queries like 'dig domain.com any'. > but their IP address seems spoofed. In that case, yes, RRL would help. ___ d

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 03:06:17PM +0800, Tessa Plum wrote a message of 18 lines which said: > I never knew BCP38 before. I will try to study it. BCP38 is Good, *but* it protects others against you. So, to be protected, you need the *others* to implement it. __

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 11:05:48AM +0100, Tony Finch wrote a message of 30 lines which said: > > ACLs in the server are not enough, you also need ingress filtering > > on the borders of your network, to prevent packets claiming to be > > from your network to get inside. > > That kind of ingre

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 05:39:48PM +0800, Davey Song wrote a message of 111 lines which said: > You said you are managing DNS for your university and your concern > for secondary DNS is privacy. I'm not sure what exactly the privacy > concerns are. RFC 7626. Also, it may raise issues about i

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 09:31:18PM +0800, Tessa Plum wrote a message of 7 lines which said: > I think we can put the devices in our own network to protect such attacks. Commercial boxes are typically optimised for HTTP, DNS is very different. I remember a box which was creating an entry in me

Re: [dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records

On Fri, Apr 03, 2020 at 12:31:38PM +0100, Matthew Richardson wrote a message of 75 lines which said: > where mtgmon.itconsult.net & monitor.itconsult.net are delegated to > different authoratitives. IMHO, the authoritative name servers for monitor.itconsult.net are correct and those for mtgmo

Re: [dns-operations] Cloudflare Rose and Rick in .com authoritative Nameserver

On Mon, Apr 20, 2020 at 03:40:56PM +0200, Raffaele Sommese wrote a message of 35 lines which said: > registries do not enforce the consistency between glue records and > the same records served by the authoritative nameservers, right? Some do, some don't. That's the beauty of the Internet:-)

[dns-operations] A strange DNS problem (intermittent SERVFAILs)

Several users on Twitter reported problems accessing Banque Populaire (a French bank) https://www.banquepopulaire.fr https://www.ibps.loirelyonnais.banquepopulaire.fr https://www.ibps.bpaca.banquepopulaire.fr https://www.ibps.mediterranee.banquepopulaire.fr/ >From the limited reports, all errors p

Re: [dns-operations] A strange DNS problem (intermittent SERVFAILs)

On Sat, May 30, 2020 at 06:50:53PM +, dagon wrote a message of 41 lines which said: > How can you even load > such a zone in a modern authority server? All modern auth > servers would fail, I believe. It may be that the authority server is correct but there is a firewall i

[dns-operations] About the coincheck.com hijacking

There is something new in the hijacking of the domain name coincheck.com , the hijacker created domain names quite similar to the normal domain names of the namservers. I believe it is the first time

Re: [dns-operations] dnsviz.net complaining "UDP_-_NOEDNS_" for gtld-servers.net

On Fri, Jun 05, 2020 at 11:26:55AM +0200, Thomas Mieslinger wrote a message of 29 lines which said: > I have a customer complaining being unable to send/receive email. sportsproducts.net appear to DNS-work fine, so the problem is probably elsewhere. > https://dnsviz.net/d/sportsproducts.net/

Re: [dns-operations] DNSViz Access to C-root

On Thu, Jul 02, 2020 at 11:51:53AM -0400, Matthew Pounsett wrote a message of 76 lines which said: > We’ve been in discussion with Cogent for a while about finding a > solution to the problem, and last month finally put something in > place. And what is the solution? A static tunnel to a Coge

[dns-operations] Fake “DNS Update” emails targeting site owners and admins

Funny, DNSSEC is so successful that you can use it for phishing :-) https://www.helpnetsecurity.com/2020/06/30/fake-dns-update/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Dealing with the bizarre - grantee.fema.gov

On Wed, Jul 08, 2020 at 11:20:27AM -0700, Brian Somers wrote a message of 38 lines which said: > I can only suspect that all 3 of these resolvers have an NTA for > this domain! No. My BIND and Unbound personal resolvers (which do not have a NTA) get a reply and set AD. The truth is elsewhere.

Re: [dns-operations] Dealing with the bizarre - grantee.fema.gov

On Wed, Jul 08, 2020 at 09:15:02PM +0200, Stephane Bortzmeyer wrote a message of 57 lines which said: > No. My BIND and Unbound personal resolvers (which do not have a NTA) > get a reply and set AD. There are probably several different instances for each authoritative ser

Re: [dns-operations] Strange behavior of covid.cdc.gov

On Mon, Aug 31, 2020 at 10:12:04PM +0900, Yasuhiro Orange Morishita / 森下泰宏 wrote a message of 18 lines which said: > But it seems to be a little bit strange. The auth servers of cdc.gov > zone serve unneed (and unsigned) akam.cdc.gov zone. But they still > have DS RR for real akam.cdc.gov zo

Re: [dns-operations] Nameserver responses from different IP than destination of request

On Tue, Sep 01, 2020 at 02:45:23AM +, P Vixie wrote a message of 22 lines which said: > you know that the plural of anecdote isn't data: I recently discovered this english word and I love it: https://en.wiktionary.org/wiki/anecdata ___ dns-oper

Re: [dns-operations] Cloudflare public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs

On Tue, Sep 01, 2020 at 01:48:17AM -0400, Viktor Dukhovni wrote a message of 71 lines which said: > * The apex wildcard record and signature identically ONLY from > Google, Verisign and Quad9. From CloudFlare, I get the munin01 > NSEC record and signature twice, but this alone

Re: [dns-operations] Seeking Advice: RIPEstat no longer recognizes my sub-zone under .university

On Mon, Sep 07, 2020 at 02:52:45PM +0700, Pirawat WATANAPONGSE wrote a message of 123 lines which said: > I notice that one of our zones, “kasetsart.university”, is no longer > recognized by the RIPEstat Tool Suite [Reference: > >https://stat.ripe.net/widget/reverse-dns-ip#w.resource=158.108.2

Re: [dns-operations] Seeking Advice: RIPEstat no longer recognizes my sub-zone under .university

On Mon, Sep 07, 2020 at 10:43:57AM +0200, Stephane Bortzmeyer wrote a message of 22 lines which said: > Since the main weakness of this domain is the lack of diversity in > authoritative name servers' IP addresses, I guess that your problem > comes from a routing issue betwee

Re: [dns-operations] random numbers

On Thu, Sep 10, 2020 at 06:32:59PM -0700, Paul Vixie wrote a message of 56 lines which said: > < that will not cause fragmentation. The value recommended here is 1232 > bytes.>> > > this number is random, I don't think it is random. It is 1280 (RFC 8200, section 5) minus 40 (RFC 8200, sectio

[dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

On 1 and 2 September 2020, several French IAPs (Internet Access Providers), including SFR and Bouygues, were "down". Their DNS resolvers were offline, and it does indeed seem that this was the result of an attack carried out against these resolvers. https://www.afnic.fr/en/resources/blog/about-the

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

On Mon, Sep 14, 2020 at 01:23:16PM -0700, Damian Menscher wrote a message of 87 lines which said: > > There are a great many public resolvers, the best known ones among > > which are operated by the major US corporations that have cornered > > a large proportion of Internet services and are of

<    1   2   3   4   5   >