Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Florian, On Oct 15, 2013, at 10:24 PM, Florian Weimer f...@deneb.enyo.de wrote: There's a tendency to selectively block DNS traffic, which can be a pain to debug. True. Hate that. A lot. Various network issues might only affect DNS recursor traffic. Given the information provided in the scenario, I feel it safe to assume a company of 100 with 2 full-time IT staff would have a clear channel for Internet traffic. If not, I would agree with your caveat (and question the company's sanity). Regards, -drc signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 16, 2013, at 10:59 AM, Jared Mauch ja...@puck.nether.net wrote: On Oct 15, 2013, at 7:28 PM, Vernon Schryver v...@rhyolite.com wrote: Folks like Comcast have large validating resolvers. Their customers should use them. Folks here are surely going to do the right thing the majority of the time. The vast majority of others are going to set things up once and it *will* be left to rot. This isn't intentional, but it naturally happens. The question had nothing to do about J. Sixpack with 37 televisions, phones, and other devices behind a NAT router owned by and remotely maintained by Comcast. Instead the question concerned a business with 2 IT professionals. Relying on distant DNS servers is negligent and grossly incompetent for a professionally run network. As with many things we will have to disagree. Not everyone has the same skill set as those on this list, and that curve goes down rather quickly. Yup, but this *has* been an interesting thread -- it was sufficiently open-ended that everyone got to interpret it in whatever way wanted, and wander off in random but fascinating ways… W - Jared ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Hope is not a strategy. -- Ben Treynor, Google ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Alert: Massive increase in type A6 queries.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Roy, On 10/16/13 11:43 AM, Roy Arends wrote: Since october the 12th, 2013, starting at approximately 16:00 UTC, we see a massive increase in type A6 queries. No, we don't see that phenomenon for .nl. Regards, - -- Marco -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJeXWEACgkQ0dvyGJ94G1II1gCfRpbwE5Ul9loij8+LJ10Ukuf0 bXUAnAu+JdsgfVmLdmK8naoN85iMdtXV =TcWL -END PGP SIGNATURE- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 14.10.13 19:08, Paul Hoffman wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? As always, it depends. Ideally everyone should run an validating caching resolver, preferably on each device. Considering we are far from this reality... - if they intend to run the resolver on any kind of Windows, forget it. For many reasons. But let's say we have see enough resolver modifying malware. - if their ISP is competent enough, which .. sadly few are, then using the ISP servers is an option. Especially if the company in questions does not have good resources to host/maintain servers. - public resolvers, such as Google or OpenDNS are an option too, although --- do we want to encourage the entire Internet to depend on a single point of failure (even if we ignore all other google considerations); - recursive resolvers do not need much resources. I am actually curious why there is not large market for appliances of this kind. Perhaps because due to the low resource requirements, these are often installed in shared environments. An managed on-premises DNS resolver/cache appliance is the best option. By the way, these days average IT people are crazy about virtualization in the cloud. Running your own DNS resolver in the cloud makes little to no sense. Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
I think the problem with a DNS appliance is that it becomes an open DNS resolver, unless it is configured to know the subnet(s) used internally, and updated every time that changes. I don't think the firewall could reasonably be asked to block only recursive DNS traffic, although perhaps it could block all inbound DNS requests, except to an internal authoritative DNS if you had one. I cannot think of any other simple workaround. Users are likely to find some way to turn off the recursion limiting anyway, like setting the internal subnet to 0.0.0.0/0, which solves their problem of updating it when subnets change, but leaves it open to the world. -- Bob Harold DNS and DHCP, University of Michigan (disclaimer: not an official spokesman) Date: Wed, 16 Oct 2013 13:14:06 +0300 From: Daniel Kalchev dan...@digsys.bg To: dns-operati...@mail.dns-oarc.net Subject: Re: [dns-operations] Should medium-sized companies run their own recursive resolver? Message-ID: 525e66ee.9050...@digsys.bg Content-Type: text/plain; charset=windows-1252; format=flowed On 14.10.13 21:46, Doug Barton wrote: We of the DNS literati tend to forget just how difficult this stuff really is, and how hard it is for companies to prioritize spending money on things that usually just work. I can't count the number of times I got emergency calls when I was consulting about how some enterprise needed my help right away because the Internet is down ... only to get a call 30 minutes later letting me know I wasn't needed because someone accidentally rebooted the right thing and now the Internet is working again. They don't care, and they don't *want* to care. They just want it to work. Very true. The solution is to turn DNS resolves to appliances, with clear labels DNS resolver. Then we can leave the task of restarting the appliance to whoever needs Internet there. Just as they will do with any other device which has power switch or cord. Adding a label no user serviceable parts inside, in case of malfunction call ... will help further. For those who do not pretend to be ignorant, setting up and maintaining recursive DNS resolver is trivial. By the way, 10% is ok. ;-) Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 16, 2013, at 2:24 AM, Warren Kumari wrote: Companies *seem*[1] to follow the trajectory of: 1: We have 1-10 employees, we'll just use whatever Netgear / Linksys someone had lying around / the DSL we ordered came with. This is largely a home network. 2: We now have 10-50 employees, let's get a consultant to give us a hand. Wheee, now we have a Windows something server and a (consumer) NAS. As a former provider of IT outsourcing services for companies in the 1 and 2 categories, I'd absolutely agree with your characterizations, and add that these types of organizations are extremely averse to IT spending. One simple tweak that I liked to do on the local Windows server domain name server was to configure the local ISP resolvers as forwarders so that lookups for CDN cached content would get to the right place. People usually commented the Internet is much faster now. --Chris ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
-Original Message- From: Chris Boyd cb...@gizmopartners.com Date: Wednesday, October 16, 2013 10:06 AM To: dns-operati...@mail.dns-oarc.net Operations dns-operati...@mail.dns-oarc.net Subject: Re: [dns-operations] Should medium-sized companies run their own recursive resolver? On Oct 16, 2013, at 2:24 AM, Warren Kumari wrote: Companies *seem*[1] to follow the trajectory of: 1: We have 1-10 employees, we'll just use whatever Netgear / Linksys someone had lying around / the DSL we ordered came with. This is largely a home network. 2: We now have 10-50 employees, let's get a consultant to give us a hand. Wheee, now we have a Windows something server and a (consumer) NAS. As a former provider of IT outsourcing services for companies in the 1 and 2 categories, I'd absolutely agree with your characterizations, and add that these types of organizations are extremely averse to IT spending. One simple tweak that I liked to do on the local Windows server domain name server was to configure the local ISP resolvers as forwarders so that lookups for CDN cached content would get to the right place. People usually commented the Internet is much faster now. It's been awhile, but I've been here as well. While large corporations certainly have plenty of secrets, I always found it somewhat ironic that smaller companies are often startups whose lifeblood depends on their intellectual property...but they routinely spend the least on protecting what's keeping them in business. DNS is certainly a part of this, but it's really the larger trend you raised of being averse to almost any IT spending. At 1-10 employees this might make sense, but at 10-50 you really can't justify not having at least one knowledgeable IT person in house. As a smaller company you certainly have to be more mindful of budget impact, but anything you save up front will be lost in productivity, security and consultant fees...and might ultimately put you out of business. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
From: Jared Mauch ja...@puck.nether.net phones, and other devices behind a NAT router owned by and remotely maintained by Comcast. Instead the question concerned a business with 2 IT professionals. Relying on distant DNS servers is negligent and grossly incompetent for a professionally run network. As with many things we will have to disagree. Not everyone has the same skill set as those on this list, and that curve goes down rather quickly. I can't help noticing that Jared Mauch noticed and disagreed with my conclusion about relying on distant DNS servers but overlooked or ignored the security reasons compelling the conclusion. He evidently also overlooked the contradiction or irony in his previous note: ] Everyone else should just use either their ISP (with NXDOMAIN ] rewriting turned off) ... ] Folks like Comcast have large validating resolvers. Their customers ] should use them. despite https://www.google.com/search?q=COMCAST+dns+hijacking If you check the pages found by that URL, you'll see - older reports that Comcast was phasing out DNS hijacking - more recent reports of redirection or hijacking of 58/UDP packets--not just falsified results from those big Comcast DNS servers but packet hijacking - far more complication, confusion, and mystification than is realistic to expect a two person IT department to resolve. It's clear that a simple, securite business DNS configuration does *not* involve a consumer grade ISP. (I don't mean to criticise any particular consumer grade ISP. They are all similar. I'm not even sure that DNS result or packet hijacking is a bad thing for consumer households.) However, not just tolerating but encouraging people without basic network and computer competence run Internet businesses is like aviation before the FAA. In the first years enthusiasts bought, built, or borrowed airplanes and went into the barnstorming or airmail businesses. Then the air industry got government licenses and regulations. From Kitty Hawk to the 1926 Air Commerce Act licensing pilots was 23 years. http://www.faa.gov/about/history/brief_history/ Whether you mark the start of public interest in the Internet with the 1972 CACM articles about the ARPANET (my DOC lab employer read those papers, got an appropriation, and linked our computers soon after), CSNET co in the early 1980s when many commercial outfits with got Internet connections, or a date between, it is more than 23 years later. I don't like the idea of government Internet licenses, but a two person IT shop using distant DNS servers, not to mention a consumer grade ISP, is as culpable as buying an old potato washer to clean your cantaloupe crop for market. I'm uncomfortable with the criminal charges against the Jensen brothers, but if that's what it takes to get people learn enough and do it right ... https://www.google.com/search?q=Jensen+cantaloupe Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Alert: Massive increase in type A6 queries.
On Oct 16, 2013, at 11:43, Roy Arends wrote: Hi, Since october the 12th, 2013, starting at approximately 16:00 UTC, we see a massive increase in type A6 queries. This is not due to a single resolver, but due to several resolver exhibiting the same behaviour. We're investigating, but want to alert the TLD community while asking for help as well: If anyone has more info, it would be greatly appreciated. For those that don't recall what an A6 is (and why it was effectively killed in Aug 2001), the A6 was thought to be an enhanced record. The down side was that A6 records required intermediate name servers to search for parts of the IPv6 address and assemble the various fragments they'd be getting. Perhaps someone is testing to see if A6 is a way to eat name server (cpu) resources. That's just a shot in the dark. And likely a poor one. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStarYou can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
From: Bob Harold rharo...@umich.edu I think the problem with a DNS appliance is that it becomes an open DNS resolver, unless it is configured to know the subnet(s) used internally, and updated every time that changes. I don't think the firewall could reasonably be asked to block only recursive DNS traffic, although perhaps it could block all inbound DNS requests, except to an internal authoritative DNS if you had one. I cannot think of any other simple workaround. Users are likely to find some way to turn off the recursion limiting anyway, like setting the internal subnet to 0.0.0.0/0, which solves their problem of updating it when subnets change, but leaves it open to the world. There is a trivial and easy way to keep a recursive DNS server intended for an organization with a 2 person IT departement from being open to the entire Internet. Set the IP TTL on responses both TCP and UDP to a small number such as 3 or 5. There are business reasons to keep a small DNS appliance intended for a small business with a 2 person IT department from being used by a big outfit. You might limit the number of DNS responses per second, hour, or day, but it might be better instead or also to limit the number of client IP address. It would be trivial and easy for a DNS appliance to require ACLs permitting no more than X IPv4 addresses and Y IPv6 /64's. Ship it configured with 10.0.0.0/8 and have it refuse to accept non-RFC 1918 ACLs with too big a total. A little monitoring of requests from unexpected IP addresses and some GUI sugar would make it easier for users to maintain their ACLs than what I've seen in the DNS, AD, WINS, etc. settings of a Windows box. Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
PH == Paul Hoffman paul.hoff...@vpnc.org writes: PH Should that company run its own recursive resolver for its PH employees, or should it continue to rely on its ISP? *Every* site should run its own (preferably verifying) resolver. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/16/2013 1:44 PM, James Cloos wrote: PH == Paul Hoffmanpaul.hoff...@vpnc.org writes: PH Should that company run its own recursive resolver for its PH employees, or should it continue to rely on its ISP? *Every* site should run its own (preferably verifying) resolver. I have no problem with that as long as they are not open resolvers -- we already have somewhere in the neighborhood of 28-30 million of them that pose a direct threat to the health wellbeing of the Internet at-large because they can be used to facilitate DNS amplification attacks. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 2317) Charset: utf-8 wj8DBQFSXv3jq1pz9mNUZTMRAtqnAKCP+X8u6KY7bM8tcRbE4OqR3vdFSgCfUFsP lYcnCGhTPGDYZ2Z1atVB6/8= =VvXW -END PGP SIGNATURE- -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID -- Connect and Collaborate -- www.internetidentity.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Comcast doesn't give me broken name servers to use, there is no cognitive dissonance here :-) You are a DNS expert. Most end users when DNS fails think everything has failed, including the network. I type URLs into my browser. Do you know how many people type google into the google search box? Or the yahoo box? You seem disconnected from the average user and average user tech support. Even small networks (I have a friend with a ~100 user wisp) shouldn't run their own caches. The economics of it don't support this. - Jared On Oct 16, 2013, at 10:37 AM, Vernon Schryver v...@rhyolite.com wrote: Folks like Comcast have large validating resolvers. Their customers ] should use them. despite https://www.google.com/search?q=COMCAST+dns+hijacking If you check the pages found by that URL, you'll see - older reports that Comcast was phasing out DNS hijacking - more recent reports of redirection or hijacking of 58/UDP packets--not just falsified results from those big Comcast DNS servers but packet hijacking - far more complication, confusion, and mystification than is realistic to expect a two person IT department to resolve. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs