Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[David Conrad]

Florian,

On Oct 15, 2013, at 10:24 PM, Florian Weimer  wrote:
> There's a tendency to selectively block DNS traffic, which can be a
> pain to debug.  

True. Hate that. A lot.

> Various network issues might only affect DNS recursor traffic.

Given the information provided in the scenario, I feel it safe to assume a 
company of 100 with 2 full-time IT staff would have a clear channel for 
Internet traffic.  If not, I would agree with your caveat (and question the 
company's sanity).

Regards,
-drc




signature.asc
Description: Message signed with OpenPGP using GPGMail
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Florian Weimer]

* Vernon Schryver:

> The question had nothing to do about J. Sixpack with 37 televisions,
> phones, and other devices behind a NAT router owned by and remotely
> maintained by Comcast.

Perhaps because they are already running a DNS cache on the local
network. :-P
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Vernon Schryver]

> From: Jared Mauch 

> >  ... "Mercedes"...
>
> Have you ever driven one?  They are mighty nice :)
>
> Back in the 90's I would agree everyone should run a DNS server as
> the network wasn't as robust as it is today.

On the contrary, in the relevant sense, the network today is less
"robust" than it has ever been.  You don't want a commodity luxury
sedan while driving across Syria, Iraq, Afghanistan, or the Gobi Desert
despite the fact that many roads in Europe and N.America are more
"robust" than they've ever been.  Where roads are bad or non-existent
or where there are significantly security hazards, you need something
with more armor, ground clearance, spare fuel, water, emergency supplies,
or even guns than are economical or safest elsewhere.

> Some folks may need local elements (e.g.: MS DNS/AD, but these should not be 
> exposed to the internet...
>
> Everyone else should just use either their ISP (with NXDOMAIN rewriting 
> turned off) or someone like OpenDNS that can help enforce some security 
> policies and practices with a few knobs being turned at most.
>
> Folks like Comcast have large validating resolvers.  Their customers should 
> use them.  Folks here are surely going to do the right thing the majority of 
> the time.  The vast majority of others are going to set things up once and it 
> *will* be left to rot.  This isn't intentional, but it naturally happens.

The question had nothing to do about J. Sixpack with 37 televisions,
phones, and other devices behind a NAT router owned by and remotely
maintained by Comcast.  Instead the question concerned a business with
2 IT professionals.  Relying on distant DNS servers is negligent and
grossly incompetent for a professionally run network.  When the DNS
servers in question are to known lie, it should be as much a crime as
failing to wash your cantaloupes in Clorox.
https://www.google.com/search?q=COMCAST+dns+hijacking
https://www.google.com/search?q=jensen+farms+criminal
The same applies when there are Great or small firewalls between the
DNS client and distant validating recursive resolvers.

Even Joe and Joan Sixpack should, if they can, think carefully about
relying on distant DNS servers.  If you wouldn't give your ISP your
bank passwords, then you shouldn't rely on your ISP to validate your
RRs.  Those who control your RRs can get your passwords, albeit with
varying effort.

Should Joe and Joan rely on government approved DNS servers while they
are in China, Iran, or Syria?

Never mind that if the U.S. NSA, FBI, CIA, etc. are competent, they've
used DNS creatively such as to install software on the computers of
their targets or deploy MX RRs to monitor email.


Vernon Schryverv...@rhyolite.com
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Jared Mauch]

On Oct 15, 2013, at 4:58 PM, Paul Hoffman  wrote:

> On Oct 15, 2013, at 1:36 PM, Jared Mauch  wrote:
> 
>> On Oct 15, 2013, at 2:12 AM, Peter Koch  wrote:
>> 
>>> sure. Yet another instance of "the DNS people have said ...". Come on.
>> 
>> This is akin to asking the founding member of the local mercedes car club 
>> what sort of car you should get. :)
>> 
>> Is there something wrong with this?
> 
> It could have been, but the responses were a few on one pole, a few on the 
> other, and a lot of "it depends". Some of the "it depends" responses leaned 
> in one direction, but some leaned in the the other. And I don't think anyone 
> said "Mercedes"...

Have you ever driven one?  They are mighty nice :)

Back in the 90's I would agree everyone should run a DNS server as the network 
wasn't as robust as it is today.

Some folks may need local elements (e.g.: MS DNS/AD, but these should not be 
exposed to the internet.  They lack the ability to scope responses based on the 
query source to prevent them being global open resolvers.  They are just fine 
for behind a firewall/NAT to take stub queries and meet the internal IT needs.

Everyone else should just use either their ISP (with NXDOMAIN rewriting turned 
off) or someone like OpenDNS that can help enforce some security policies and 
practices with a few knobs being turned at most.

Folks like Comcast have large validating resolvers.  Their customers should use 
them.  Folks here are surely going to do the right thing the majority of the 
time.  The vast majority of others are going to set things up once and it 
*will* be left to rot.  This isn't intentional, but it naturally happens.

- Jared
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Wiley, Glen]

I think it is a meaningful question, if I want to buy I car I would like
to hear what folks experienced with the car have to say.  I may not agree
entirely and may add other input to the discussion, but I still want to
hear how the Mercedes dealer defends the idea that his car is better.

The answer to nearly everything in life "depends" (with the exception of
mathematics and a few moral questions), particularly technology decisions
- it is helpful to hear from both poles (as Paul puts it) and then take an
informed decision.
-- 
Glen Wiley
KK4SFV

Sr. Engineer
The Hive, Verisign, Inc.




On 10/15/13 4:58 PM, "Paul Hoffman"  wrote:

>On Oct 15, 2013, at 1:36 PM, Jared Mauch  wrote:
>
>> On Oct 15, 2013, at 2:12 AM, Peter Koch  wrote:
>> 
>>> sure. Yet another instance of "the DNS people have said ...". Come on.
>> 
>> This is akin to asking the founding member of the local mercedes car
>>club what sort of car you should get. :)
>> 
>> Is there something wrong with this?
>
>It could have been, but the responses were a few on one pole, a few on
>the other, and a lot of "it depends". Some of the "it depends" responses
>leaned in one direction, but some leaned in the the other. And I don't
>think anyone said "Mercedes"...
>
>--Paul Hoffman
>___
>dns-operations mailing list
>dns-operations@lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Paul Hoffman]

On Oct 15, 2013, at 1:36 PM, Jared Mauch  wrote:

> On Oct 15, 2013, at 2:12 AM, Peter Koch  wrote:
> 
>> sure. Yet another instance of "the DNS people have said ...". Come on.
> 
> This is akin to asking the founding member of the local mercedes car club 
> what sort of car you should get. :)
> 
> Is there something wrong with this?

It could have been, but the responses were a few on one pole, a few on the 
other, and a lot of "it depends". Some of the "it depends" responses leaned in 
one direction, but some leaned in the the other. And I don't think anyone said 
"Mercedes"...

--Paul Hoffman
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Jared Mauch]

On Oct 15, 2013, at 2:12 AM, Peter Koch  wrote:

> sure. Yet another instance of "the DNS people have said ...". Come on.

This is akin to asking the founding member of the local mercedes car club what 
sort of car you should get. :)

Is there something wrong with this?

- Jared
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Dan York]

On 10/14/13 4:24 PM, "Paul Hoffman"  wrote:


>On Oct 14, 2013, at 12:43 PM, Suzanne Woolf  wrote:
>
>> I've really enjoyed reading the responses to this,
>
>+1

+1. The variety of responses have been both interesting and useful.

> 
>
>> and admit my own answer is (yet another flavor of) "It depends."
>
>That seems to be the median so far.

As is mine (an "it depends" variation)... from an ideal perspective and
being an advocate of DNSSEC, I'd like a DNSSEC-validating recursive
resolver to be deployed as close as possible to the end user so that the
potential for attackers to be in the path is as minimal as can be. In my
truly ideal world I'd like that DNSSEC validation to be occurring within
the operating system running on the user's computer or perhaps even in the
application they are using.  So on a macro level I definitely agree with
comments here by Paul Vixie and others.

That said, the answer really depends upon the quality of the IT staff and
what you consider "average IT talents".  I've seen any small organizations
such as that described where the 2 IT people run all the servers, run the
network infrastructure and provide great service to the users - and they
should definitely run their own recursive resolvers.  I've also seen other
organizations where the 2 IT people are so buried in firefighting all
their daily issues that they don't necessarily have the time, energy or
knowledge to do more than keep up with virus issues, password resets or
whatever other fires they are fighting. In those cases, even as simple as
a recursive resolver would be to operate the cases where there are
problems would be more than the IT staff couple truly handle - and they
would look to outsource that to the ISPs resolver (or Google or OpenDNS).
And in all honestly the users might be safer with that outsourced DNS
resolver.

On a strategic level, I don't like this second answer...  but I understand
*why* it might be appropriate for some small organizations.

>> I'm wondering what motivated the question, particularly in such a
>>generic form.
>
>In various discussions on different DNS-related topics, some people have
>said that "obviously" everyone should have a resolver at X, where X had
>wildly different values. I thought it would be useful to create a
>"typical" use case and see if X converged in a community such as this.
>
>It didn't. That's a useful data point for people creating other protocols
>who have to listen to commenters who say where resolvers need to be.

Thanks for stimulating the discussion.

Dan

--
Dan York
Senior Content Strategist, Internet Society
y...@isoc.org    +1-802-735-1624
Jabber: y...@jabber.isoc.org 
Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/deploy360/ 

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

[Florian Weimer]

* David Conrad:

> Running a recursive server is (should be) far easier than running
> the vast majority of other "local servers".  If it isn't, they're
> using the wrong recursive server.  With the exception of root key
> rollover, running a recursive server is a fire-and-forget type
> service (modulo some initial configuration to avoid being an open
> resolver).

There's a tendency to selectively block DNS traffic, which can be a
pain to debug.  Various network issues might only affect DNS recursor
traffic.

I agree that on a clean network, a DNS recursor should be easy to set
up and maintain, but you often learn after the fact that your network
isn't so clean after all. :-(
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

[Mukund Sivaraman]

On Tue, Oct 15, 2013 at 03:58:10AM +, Dobbins, Roland wrote:
> What we have noticed however is all the attack traffic regardless of
> the source, distention, targeted URL or query has a common pattern
> matching signature of \50\fa\00\08\00\01\20 common to every packet
> generated from this substantial botnet which is frequently published
> on this amplification attack
> webpage. http://dnsamplificationattacks.blogspot.com.au/

We don't know where the magic string "\50\fa\00\08\00\01\20" appears in
the packet. I could not quickly find it at the URL above. This sequence
may not have a bad origin. It could be the EDNS0 client-subnet
extension:

50 fa 00 08 00 01 20 SN aa bb cc dd
^ ^ ^ ^^ ^^ ^^^
  | | |   |  |   `-- client IPv4 address
  | | |   |  `-- scope netmask
  | | |   `- source netmask (0x20 = 32 bits)
  | | `- address family (0x0001 = IPv4)
  | `--- option length
  `--- old EDNS0 option code for client subnet

The option code 50fa has been changed now to 8 in
,
but you can see this code in older patches to dig:


But we don't know for sure where in the packet this string came from. :)

Mukund


pgpJ8OB6_lnMW.pgp
Description: PGP signature
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

[David C Lawrence]

Damian Menscher writes:
> I'm curious if anyone knows the significance of that 7-byte string?  They
> say it's common to all attack traffic, whether the query or the response,
> so that suggests it's the qname.  But it doesn't look like a valid qname
> to me, so open resolvers wouldn't respond to it with any amplification.
>  What am I missing?

The original report is quite unclear on where the string occurs in the
packet.  It could just be a common prefix for domain names for which
the responding resolvers would provide large negative answers.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

[Warren Kumari]

On Oct 15, 2013, at 12:04 PM, Roland Dobbins  wrote:

> 
> 
> Damian Menscher  wrote:
> 
>> I'm curious if anyone knows the significance of that 7-byte string? 
> 
> Absent any information to the contrary, my guess it's the sort of nonsensical 
> padding we often see with synthetically-generated attack traffic, like the 
> weird, malformed DNS semi-queries the attackers generated as the main 
> volumetric component of the 'Operation Ababil' attacks (and targeted at Web 
> servers, go figure). 
> 
> If anyone has a more cogent explanation, I'd be grateful for clue, thanks! 

Well, if you XOR it with \x66\xcc\x36\x25\x36\x37 you get 
\x36\x36\x36\x2d\x36\x36\x36, which in ASCII is "666-666".  :-O And, even 
scarier, if you XOR the original string it with itself you  just get nulls…

W

---
People got very excited about the significant mathematical fact that its height 
plus its length divided by half its width almost precisely equalled 1.67563, or 
precisely 1,237.98712567 times the difference between the distance to the sun 
and the weight of a small orange. It was held that something like this could 
not ''possibly' have come about by chance.

(sorry, the presentation I'm currently listening to is very boring…)


> 
> ---
> Roland Dobbins 
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 

--
My memory is failing, so I changed my password to "incorrect".
That way, when I login with the wrong password the computer tells me… "Your 
password is incorrect".



___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

[Roland Dobbins]

Damian Menscher  wrote:

>I'm curious if anyone knows the significance of that 7-byte string? 

Absent any information to the contrary, my guess it's the sort of nonsensical 
padding we often see with synthetically-generated attack traffic, like the 
weird, malformed DNS semi-queries the attackers generated as the main 
volumetric component of the 'Operation Ababil' attacks (and targeted at Web 
servers, go figure). 

If anyone has a more cogent explanation, I'd be grateful for clue, thanks! 

---
Roland Dobbins 
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs