Re: Adding records to a domain I don't control for anyone who uses my nameserver
On Mon, Mar 02, 2009 at 01:07:36PM -0500, Matthew Huff mh...@ox.com wrote a message of 62 lines which said: Spoofing the dns zones are the only solution. It won't work when (if) DNSSEC will be deployed (and I assume the banking sector will be one of the first to adopt it)... Why not using your own XMPP server, that you control and where you can activate logging? Trying to archive conversations on other servers seem pointless anyway, what if the users IM with Twitter or with a Web form? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding records to a domain I don't control for anyone who uses my nameserver
Spoofing the dns zones are the only solution. Why not using your own XMPP server, that you control and where you can activate logging? Actually, in a previous lifetime, we discovered that the MOST effective way to deal with this was to write it into the policy and procedures manual and make sure that everyone signs a copy of the manual with full understanding of the rules and why they are in place. Monitor for a bit (with no blocking in place so that fallback-to-hidden-protocol doesn't happen), warn the folks that were doing it, then, after a month, fire the folks that are caught continuing to break the policy. As long as you don't enforce the underlying rules, there will always be someone breaking the rules, working around the system, and all you are doing is continuously playing catch-up. I don't like playing cat-and-mouse. In the current economy, if someone feels that it is important enough to chat with someone at risk of losing their job, you don't need them, and they will prove to be a risk in some other way before too long anyway. If it's the CEO/CIO/CFO that continues to break the rules, you are working for the wrong company -- which, in this economy leads to an entire different set of problems. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding records to a domain I don't control for anyone who uses my nameserver
In article goadgr$2au...@sf1.isc.org, Barry Margolin bar...@alum.mit.edu wrote: In article go6pea$2ru...@sf1.isc.org, Brandon Dimcheff bdimc...@wieldim.com wrote: Hello, I'm trying to configure BIND to add some records to a domain that I don't control, so that anybody who uses my nameserver will have the additional records. Specifically, I'm trying to add xmpp SRV records so our jabber infrastructure that uses our nameserver can contact a handful of domains properly. All other records for the domain should work as defined by their authoritative server. Example: dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV record hosted by my server dig @127.0.0.1 A example.com should return example.com's A record by recursive lookup Does anybody have any suggestions? I've tried a few different things, but none of them seem to have worked. I don't think you can do this with BIND. Its database is organized by names, not types. If a server is authoritative for a name, it will never recurse for that name. He could create a local zone for the domain _xmpp_client._tcp.example.com containing only the SRV record (plus the necessary SOA and NS records). That way any lookups for *.example.com and *._tcp.example.com would get directed to the real example.com servers. It's a horrible thing to do, though, to claim authority for someone else's address space. What happens when example.com sets up its own _xmpp_client._tcp.example.com with different data in it? Who debugs that? Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding records to a domain I don't control for anyone who uses my nameserver
Unfortunately this is common in the financial services realm. Compliance requires us to archive all IM messages from google, aol, msn, and yahoo. Blocking it with acls doesn't work since the IM clients will resort to http and are pretty clever about hiding it. Blocking IP addresses doesn't work since they change frequently. Spoofing the dns zones are the only solution. The IM archive server companies usually provide email updates when some of the zones changes. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sam Wilson Sent: Monday, March 02, 2009 12:56 PM To: comp-protocols-dns-b...@isc.org Subject: Re: Adding records to a domain I don't control for anyone who uses my nameserver In article goadgr$2au...@sf1.isc.org, Barry Margolin bar...@alum.mit.edu wrote: In article go6pea$2ru...@sf1.isc.org, Brandon Dimcheff bdimc...@wieldim.com wrote: Hello, I'm trying to configure BIND to add some records to a domain that I don't control, so that anybody who uses my nameserver will have the additional records. Specifically, I'm trying to add xmpp SRV records so our jabber infrastructure that uses our nameserver can contact a handful of domains properly. All other records for the domain should work as defined by their authoritative server. Example: dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV record hosted by my server dig @127.0.0.1 A example.com should return example.com's A record by recursive lookup Does anybody have any suggestions? I've tried a few different things, but none of them seem to have worked. I don't think you can do this with BIND. Its database is organized by names, not types. If a server is authoritative for a name, it will never recurse for that name. He could create a local zone for the domain _xmpp_client._tcp.example.com containing only the SRV record (plus the necessary SOA and NS records). That way any lookups for *.example.com and *._tcp.example.com would get directed to the real example.com servers. It's a horrible thing to do, though, to claim authority for someone else's address space. What happens when example.com sets up its own _xmpp_client._tcp.example.com with different data in it? Who debugs that? Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding records to a domain I don't control for anyone who uses my nameserver
Try creating a zone file _xmpp_client._tcp.example.com and put the SRV record in there. Treat the host as an entire domain. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users- boun...@lists.isc.org] On Behalf Of Brandon Dimcheff Sent: Thursday, February 26, 2009 2:10 PM To: bind-users@lists.isc.org Subject: Adding records to a domain I don't control for anyone who uses my nameserver Hello, I'm trying to configure BIND to add some records to a domain that I don't control, so that anybody who uses my nameserver will have the additional records. Specifically, I'm trying to add xmpp SRV records so our jabber infrastructure that uses our nameserver can contact a handful of domains properly. All other records for the domain should work as defined by their authoritative server. Example: dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV record hosted by my server dig @127.0.0.1 A example.com should return example.com's A record by recursive lookup Does anybody have any suggestions? I've tried a few different things, but none of them seem to have worked. Thanks, Brandon ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users