Re: [FRnOG] Re: Semaine de la signature de la racine DNS

Alexandre Novakovski Wed, 27 Jan 2010 02:56:38 -0800

Cyril Lavier wrote:
> Le 27 janvier 2010 10:57, Benoit Boissinot <bbois...@gmail.com> a écrit :
>> 2010/1/27 Stephane Bortzmeyer <bortzme...@nic.fr>:
>>> On Tue, Jan 26, 2010 at 08:56:35PM +0100,
>>>  jul <jul_...@yahoo.fr> wrote
>>>  a message of 31 lines which said:
>>>
>>>> * pas Google DNS
>>>> $ dig @8.8.8.8 +short rs.dns-oarc.net txt
>>>> rst.x476.rs.dns-oarc.net.
>>>> rst.x485.x476.rs.dns-oarc.net.
>>>> rst.x490.x485.x476.rs.dns-oarc.net.
>>>> "209.85.228.94 DNS reply size limit is at least 490"
>>>> "209.85.228.94 lacks EDNS, defaults to 512"
>>>> "Tested at 2010-01-26 19:46:05 UTC"
>>> Comme OpenDNS, il ne gère pas EDNS. C'est mal (mais c'est probablement
>>> dû à leur statut de résolveur DNS ouvert et leur souci d'éviter de
>>> servir de relais pour des attaques par amplification, cf.
>>> <http://www.bortzmeyer.org/5358.html>).
>> Ce n'est pas désactivé:
>> http://groups.google.com/group/public-dns-discuss/browse_thread/thread/dbb211033c886680/e24197a24866ff18
>> Mais il y a en effet une protection contre les amplifications attacks:
>> http://code.google.com/speed/public-dns/docs/security.html#rate_limit
>>
>> Benoit
>> ---------------------------
>> Liste de diffusion du FRnOG
>> http://www.frnog.org/
>>
>>
> 
> Chez Orange, j'ai l'impression qu'ils ont encore du boulot à faire
> 
> cy...@dandenong:~$ dig +short rs.dns-oarc.net txt
> rst.x1002.rs.dns-oarc.net.
> rst.x1222.x1002.rs.dns-oarc.net.
> rst.x1403.x1222.x1002.rs.dns-oarc.net.
> "80.12.2.6 DNS reply size limit is at least 1403"
> "80.12.2.6 sent EDNS buffer size 4096"
> "Tested at 2010-01-27 10:32:23 UTC"
> 
> A moins que ce soit mon modem-routeur qui cause ça.
> 
> @+
>


Même chose chez orange :

dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"209.85.128.94 DNS reply size limit is at least 490"
"209.85.128.94 lacks EDNS, defaults to 512"
"Tested at 2010-01-27 10:48:08 UTC"

dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"209.85.128.94 DNS reply size limit is at least 490"
"209.85.128.94 lacks EDNS, defaults to 512"
"Tested at 2010-01-27 10:49:30 UTC"

Dédibox :

dig +short rs.dns-oarc.net txt
rst.x996.rs.dns-oarc.net.
rst.x1956.x996.rs.dns-oarc.net.
rst.x2442.x1956.x996.rs.dns-oarc.net.
"88.191.100.8 sent EDNS buffer size 4096"
"88.191.100.8 DNS reply size limit is at least 2442"
"Tested at 2010-01-27 10:54:23 UTC"

OVH :

dig +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"91.121.96.227 sent EDNS buffer size 4096"
"91.121.96.227 DNS reply size limit is at least 3843"
"Tested at 2010-01-27 10:55:26 UTC"

<<attachment: anovakovski.vcf>>

signature.asc
Description: OpenPGP digital signature

Re: [FRnOG] Re: Semaine de la signature de la racine DNS

Répondre à