Re: [DNSOP] port 0 requests leading to errors

2014-03-22 Thread Paul Vixie 


bert hubert wrote:
 ...

 43.504115 IP x.y.117.10.0  192.175.48.6.53: 6365+ SOA? 168.192.in-addr.arpa. 
 (38)
 45.504152 IP x.y.117.10.0  192.175.48.6.53: 6365+ SOA? 168.192.in-addr.arpa. 
 (38)
 49.505124 IP x.y.117.10.0  192.175.48.6.53: 6365+ SOA? 168.192.in-addr.arpa. 
 (38)

 PowerDNS now refuses to attempt to answer such packets, which silences the
 error messages.

mark andrews sent me a similar patch to bind 4.9 back in 1992, which
made no sense to me but i put it in anyway. thanks for explaining.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] on the subject of dnse

2014-03-22 Thread Phillip Hallam-Baker 
On Fri, Mar 21, 2014 at 10:59 AM, Paul Vixie p...@redbarn.org wrote:


 Phillip Hallam-Baker wrote:
 This was the use case that originally drove the development of OmniBroker.

 If we do DNS Encryption right it is going to be very easy for end
 users to chose their DNS provider and very hard for the authorities to
 block them.

 +1.

 Security is a balance. Going through 8.8.8.8 rather than direct means
 that you are leaking privacy sensitive information to Google. But that
 is probably less important here than the censorship attack.

 noting, google's public claims about not data mining any part of the
 8.8.8.8 query flow, are believable. we also now know that the greater
 risk is an on-path nation-state MiTM. i think we should solve for the
 latter and not worry about the former.

 vixie

I didn't want to bring this up earlier for obvious reasons, the
countermeasure that has been deployed is to just block Google DNS as
well.

We have to have a strategy that does not rely on one party to carry
the net. That just makes them a target.

-- 
Website: http://hallambaker.com/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop