Domain: nimh.org
Stories and comments across the archive that link to nimh.org.
Comments · 10
-
Re:time to dump BIND
Personally, I use ldapdns, which used to be based on the djbdns code and continues to adopt some ideas from djbdns, The nice thing about ldapdns, though, is that the database store is entirely in LDAP. You change it in LDAP and the changes in the DNS server are instantaneous.
I would consider PowerDNS as well, but ldapdns is also very small, fast and lightweight and it scales well. I don't get the feeling that PowerDNS is so lightweight.
-
Re:Unfortunately, what else is new?
Disclaimer. I'm the author of LDAPDNS.
Randomizing UDP source ports does not solve the problem, it only makes it more difficult to impersonate the responding DNS server.
Tens of thousands of times harder.
Secure DNS makes this kind of impersonation impossible, or at least allows us to bask in the warm glow of impossible
Unfortunately, Secure DNS doesn't exist. Nobody's quite sure what it looks like, or how it'll work because the things crytopgraphers is secure nobody wants to do because it makes ugly domain names, so we just sit here, shouting "Secure DNS" like that's going to make it show up sooner.
Listen, Paul's been crying for DNS-SEC for over a decade and yet there are still zero implementations. Even if there were a software stack, there's no credible authority- domain registrars don't check who they register to, and an email spoof can still steal nameserver configuration.
This isn't a technical problem, it's a social problem.
But it has become abundantly clear to me that DJB and his minions (of which I assume you are one) have failed to matter in most ways, not because of your ideas, but because of the brusque, immature manner in which those ideas are submitted for consideration, outside the standards committees which have served the Internet well for 30 years.
You don't get it, do you? Those thirty years are all about ego. DNS Forgery has been well understood for decades now, and Paul Vixie is only accepting a simple solution while dragging his heels because his very complicated idea didn't work.
The real problem is that Paul is a very smart man, so it's very easy for people like you to see that this is an argument between very smart people. However Paul is also a douchebag and an idiot because he's dragged you into defending his ego, for something that affects millions.
-
Re:Not complete innovation?
How many times have you heard the word "innovation" from a microsoftie?
(uncountable)
How much money does it spend on research?
http://it.slashdot.org/article.pl?sid=06/12/06/204 2218
http://www.networkworld.com/news/2006/120606-micro soft-research.html
How many times has it innovated?
http://www.dwheeler.com/innovation/microsoft.html
http://hea-www.harvard.edu/~fine/opinions/msinnova te.html
http://www.vcnet.com/bms/departments/innovation.sh tml
http://www.mcmillan.cx/innovation.html
This last dude gave up, Last updated 27 June 1999. Basically, it came down to a list of all accepted innovation nominations compared to two accepted: Microsoft Bob (doubtful but accepted) and the fucking talking paper clip. Which is basically Bob redone as a more annoying Help file.
all I did was a google search for "microsoft innovate" without quotes, and I came up with ZERO microsoft sites, and a whole bunch which put "innovate" into the quotes it deserves.
Worthless software company. The only things they did right are SQL server (derived from Sybase, and even though it was apparently recoded it shares similar syntax), which actually has a decent track record on security issues, and of course Visual Studio (IMO until the .NET crapfest, but even that is well done, just a personal preference, except that they are trying to win against Java using an interpreted framework, but Visual Basic was completely reengineered and basically thrown away?) (but it uses a third party C/C++ library from Dinkumware, don't think they came up with any of that themselves) (oh and they didn't make the compiler either, they made it worse). But without microsoft we wouldn't need either of these. I believe they don't suck because they were made by developers, for developers.
Dinkumware info, apparently there is a license dispute so that MS can't package the updates in a visual studio service pack, so Dinkumware tells which lines to edit and how:
http://www.dinkumware.com/vc_fixes.html
std::string causes corruption. Sorry we can't fix it, upgrade to .NET or buy a C++ library:
http://support.microsoft.com/kb/813810
"When you build applications in Microsoft Visual C++ 6.0 that use the supplied Standard Template Library (STL), memory corruption may occur, or your computer may stop responding. "
Origins of MSC compiler
http://www.nimh.org/microsoft/
"`This is just a historical note about the C compiler microsoft sells. In the late 80's I was developing C programs under DOS using the Lattice C compiler. One day I got a letter from Lattice saying they were out of the C compiler business, I should contact microsoft for support. I found out that microsoft bought the compiler and exclusive rights to sell it from Lattice. "
O man I just pissed myself off again rehashing all that ineptitude. -
autopackage
autopackage is probably the current best tool for this. It makes a single, easily installable (and removable) package while coercing my system's GCC and libs into versions that are suitable for other distributions.
I use it currently for schism tracker (particularly the CVS builds that I do).
It works very well for me: Debian, Ubuntu, SUSE, Fedora, Gentoo, and Mandrake users have reported success with these binaries built with (gasp) a lone FC4 machine.
One day, I'll actually do a proper release and six years later it'll show up in the next Debian release. Then your fancy apt-get tools will work.
And to kneejerk jackasses that say "just release the source"- you must realize that the source is good for you and me (well me anyway, I cannot speak for you, obviously), the people who USE these programs have absolutely NO INTEREST in doing the work that I have just done for my own purposes.
Plus, having them use a single binary means that it's very easy to debug with nothing more than a core file.
Oh, and I suppose I am giving the submitter the benefit of the doubt that we are indeed talking about Free Software, aren't we? :) -
Re:You really see which DNS does heavy lifting.[ http://www.maradns.org/dns_software.html ]
Other DNS software
This is a list of some other DNS software out there:
Freely downloadable DNS servers
Caching DNS servers
- BIND 9 is a complete rewrite of BIND, and, as such, probably does not have the security issues that previous versions of BIND has. In fact, one of the BIND developers found a security problem in earlier versions of MaraDNS. Very full-featured, and is the reference standard for the newer DNS RFCs.
- Oak DNS is a DNS server written completely in python. It is compatible (I think) with both BIND zone files and cache files.
- pdnsd is a recursive caching DNS server. Paul Rombouts is the current maintainer of this program.
- Posadis is another DNS server project, similiar to MaraDNS. This server is now both a resolving and an suthoritative DNS server.
Non-recursive DNS servers
- PowerDNS is an authoritative-only DNS server with support for, among other things, SQL. I would like to applaud the PowerDNS developers for making a libre release of this software. Note: Recursive code is in the works; PowerDNS will soon enough be a fully functioning recursive DNS server.
- DnsJAVA is an authoritative-only DNS server written in Java.
- NSD is an authoritative-only DNS server which is compatible with BIND zone files.
- MyDNS is an authoritative-only DNS server which uses MySQL as a database back end.
- The Pliant language/package comes with a DNS server. This DNS server can not recursively process DNS queries given a list of root servers.
- Twisted includes a non-recursive DNS server.
- The Eddit project includes a DNS server
- SheerDNS is a simple non-caching DNS server that stores all records as their own files.
Abandoned DNS server projects
These are DNS server projects which have not released any files for six months or longer, and which never became functioning recursive (caching) DNS servers.
- MooDNS is another DNS server
project.
A CVS checkout on January 21, 2003 shows that no files have been updated
since July 20, 2002, except for a single readme file updated on August
1, 2002. This project is abadoned.
I have made a tarball available for people who do not want to bother with a CVS checkout.
- Dents is a DNS server that showed a lot of promise. Unfortunatly, no files have been released since 1999.
- Yaku-NS is a DNS server geared towards embedded systems. According to the changelog, no one has made any changes to this software since Feburary, 2001.
- CustomDNS has not released any files since the summer of 2000.
Other
-
Re:You really see which DNS does heavy lifting.[ http://cr.yp.to/djbdns/other.html ]
Other DNS software
Management tools
twa lets authorized browsers edit the tinydns data file.
ldap2dns converts an LDAP DNS database to a tinydns data file. tinyadmin is a graphical interface to the LDAP DNS database used by ldap2dns.
mkdns converts a MySQL DNS database to a tinydns data file. It lets authorized browsers edit the MySQL DNS database.
sql2tinydns is similar to mkdns.
dhcp_dns watches dhcpd for new DHCP address assignments, and publishes those addresses through tinydns.
tinydyndns publishes dynamic IP addresses authenticated through POP connections.
Servers
ldapdns publishes DNS information from an LDAP database.
MyDNS publishes DNS information from a MySQL database.
Posadis publishes DNS information from BIND-style zone files. Security history: Buffer overflow, allowing attackers around the Internet to take control of the server; fixed in m5pre2 (2002.03.30). Someone announced an exploitable buffer overflow in m5pre2 a few weeks later; the history here isn't clear from the Posadis web pages.
NSD publishes DNS information from BIND-style zone files. Security history: Unclear. The NSD documentation includes bugs like ``Very strange coredump in hash_destroy() that happens sometimes'' without any analysis of their security impact. Is that an exploitable buffer overflow?
PowerDNS publishes DNS information from MySQL databases, PostgreSQL databases, Oracle databases, IBM databases, LDAP databases, or BIND-style zone files. Security history: Unclear, like the NSD security history.
MaraDNS is a general-purpose DNS server.
lbnamed is a load-balancing DNS server.
lbdns is another load-balancing DNS server.
Oak DNS Server is a good example of why novices shouldn't try to write DNS software. The digitallumber.net domain, served by Oak DNS Server 1.0, is inaccessible to a huge number of clients that try AAAA lookups before A lookups: the server incorrectly returns NXDOMAIN for AAAA, effectively wiping out its own A record.
Caches
pdnsd is a DNS cache. Security history: Remotely exploitable buffer overflow; fixed in 1.1.7a (2002.01.18).
MaraDNS can act as a cache.
I don't know why anyone would want to use these caches in place of dnscache .
DNS clients
adns is a DNS client library.
ares is a DNS client library.
perldns is a DNS client library for Perl.
The Buggy Internet Name Daemon [how very professional... *sigh*]
BIND is a monolithic server/cache; it also includes a client library, libresolv. Security history: IQUERY buffer overflow in BIND before 8.1.2-T3B (1998); NXT buffer overflow in BIND before 8.2.2-P4 (1999); nslookupcompla
-
Re:Why is there an "Apache" user?
Essentially, by the time you've figured out which vhost the client is requesting, you're bound to a specific httpd process which normally runs as www/nobody or whatever you've configured it as. As those users cannot setuid to the RunAsUser, you can't modify the uid/euid at that stage, only root can do that and you don't want root handling that part of the negotiation!
You use multiple processes then. You can pass the socket file descriptor to another process via UNIX sockets. Or you could just keep proxying the connection to another process if you want portability.
For example you could have a few "connection broker" processes which would parse the initial request. That process would figure out who exactly should be handling the request. Once that's done, it sends very simple request to very small master process which runs as root, consisting of wanted url handler (file, directory, whatever). The root running process verifies the handler is valid, and then either returns error or forwards the connection to the actual handler process (either exec + setuid(), or reuse existing process).
Something like a proper trusted base allowing a user (www) to setuid to other users (vhost1, vhost1 etc) but that requires a version of Unix that supports it; dunno if Trusted Solaris, OpenBSD or SELinux supply that functionality or not.
There's at least kchuid which could do that.
-
Nameservers for Linux and *BSDevilpenguin wrote:
BTW, what alteratives to BIND exist for Linuxand *BSD? I actually don't know and would like to know.
There are now a number of alternative packages that may have advantages for many deployments. E.g.:
MaraDNS is a general-purpose, fast DNS server package (doing recursive, authoritative, and caching roles, plus fully supporting zone transfers):
http://www.maradns.org/pdnsd is a small caching-only DNS server with a disk-based cache, suitable for small networks and workstations:
http://home.t-online.de/home/Moestl/Dnsmasq is a small authoritative and caching DNS server for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases):
http://www.thekelleys.org.uk/dnsmasq/DNRD is a small caching-only DNS server for NAT / IPmasq networks:
http://dnrd.nevalabs.org/MyDNS is a MySQL-based authoritative and caching server (no recursive service) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache:
http://mydns.bboy.net/ldapdns implements the same idea, except out of an LDAP database. Again, much faster than BIND9:
http://nimh.org/code/ldapdns/GnuDIP is an authoritative server for Dynamic DNS:
http://gnudip2.sourceforge.net/gnudip-www/NSD is a high-performance authoritative-only daemon:
http://www.nlnetlabs.nl/nsd/PowerDNS (open source as of 2002-11-25) is an authoritative-only daemon with a modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), BIND zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers.
http://www.powerdns.com/products/powerdns/CustomDNS is a authoritative-only daemon for both static addresses and its variant form of dynamic DNS:
http://customdns.sourceforge.net/lbnamed is a similar authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture:
http://www.stanford.edu/~riepel/lbnamed/Posadis is another fast authoritative-only daemon:
http://posadis.sourceforge.net/dents is another general-purpose DNS server, but is perenially unfinished, and is probably dead, at this point:
http://sourceforge.net/projects/dents/Pliant DNS Server is another general-purpose DNS server, although it may not support zone transfers:
http://pliant.cx/pliant/protocol/dns/Yaku-NS is another small, fast general-purpose DNS server:
http://www.kyuzz.org/antirez/ens.htmlTwisted Names is an authoritative and caching DNS server, written in Python:
http://twistedmatrix.com/documents/howto/namesOak DNS Server is an authoritative and caching DNS server, supporting dynamic DNS updates and AAAA records. It's written in Python, and doesn't need to run privileged:
http://www.digitallumber.com/oakdnsjava is a minimal, authoritative-only server, a resolver library, and a set of DNS utilities, all written in Java:
http://www.xbill.org/dnsjava/Related:
FireDNS is a client library for DNS requests, with emphasis on speed and asynchronous processing. Written in C, and has low-timeout blocking functions. Can be used to relace standard libc resolver library functions like getbyhostname with much faster equivalent code:
http://ares.penguinhosting.net/~ian/GNU adns is a resolver library for C (and C++) programs, and a collection of useful DNS resolver utilities:
http://www.chiark.greenend.org.uk/~ian/adns/Proprietary packages include:
UltraDNS (UltraDNS Corporation)
djbdns/tinydns
ATLAS (Verisign)
BINDPlus (Information Network Eng. Group, Inc.)
Global Name Service (Nominum, Inc.)
NeDNS (Neteka, Inc.)I maintain this list at http://linuxmafia.com/~rick/linux-info/dns-server
s Rick Moen
rick@linuxmafia.com -
ldap and dnsI wrote a DNS server that relies completely on LDAP called ldapdns. it's a live gateway, so it's ALWAYS up to date. the best thing about managing DNS over LDAP is that users can manage their own DNS and even create new subdomains!
actually, i'm quite amazed that this topic came up because a centralized directory mechanism can make administration _MUCH_ easier. i'm actually very suprised that most unixes (including linux) don't do anything better than NIS(+).
LDAP became the mechanism by which I manage my own network with greater ease: i use LDAP with NSS for user management (and allow users thereby to manage themselves). i use LDAP for DNS (of course
:), i use LDAP to manage certificates, and employee information, and i also use LDAP to keep track of customers (for billing).i've had to write a lot of my own shit to make it work (billing, and DNS - but now the DNS is gpl'd so youall can be happy with it), but alot of it DOES already exist. using NSS and PAM, you can manage users with ldap, and with vpopmail/qmailpatches you can run mail over ldap.
as for useradd/userdel/etc -- you simply don't need them. you can write a very simple shell script to ldapadd new users and delete and modify them (as i have done).
as for browsers: i happen to like GQ. but tbh, i don't do much browsing (i like robots). there's a java one floating around that works very much like Microsoft's LDAP browser (but free).
anyway, i'll spit my plug again:
LDAPDNS: FREE (GPL) LDAP-BASED DNS FOR EASIER ADMINISTRATION: ldapdns IS WHAT YOU NEED. USE IT BLAH BLAH BLAH
but really: ldap works great. it takes some balls to pull the switch (maybe someone will make it easier), but it is well worth it in the long run.
-
ldap and dnsI wrote a DNS server that relies completely on LDAP called ldapdns. it's a live gateway, so it's ALWAYS up to date. the best thing about managing DNS over LDAP is that users can manage their own DNS and even create new subdomains!
actually, i'm quite amazed that this topic came up because a centralized directory mechanism can make administration _MUCH_ easier. i'm actually very suprised that most unixes (including linux) don't do anything better than NIS(+).
LDAP became the mechanism by which I manage my own network with greater ease: i use LDAP with NSS for user management (and allow users thereby to manage themselves). i use LDAP for DNS (of course
:), i use LDAP to manage certificates, and employee information, and i also use LDAP to keep track of customers (for billing).i've had to write a lot of my own shit to make it work (billing, and DNS - but now the DNS is gpl'd so youall can be happy with it), but alot of it DOES already exist. using NSS and PAM, you can manage users with ldap, and with vpopmail/qmailpatches you can run mail over ldap.
as for useradd/userdel/etc -- you simply don't need them. you can write a very simple shell script to ldapadd new users and delete and modify them (as i have done).
as for browsers: i happen to like GQ. but tbh, i don't do much browsing (i like robots). there's a java one floating around that works very much like Microsoft's LDAP browser (but free).
anyway, i'll spit my plug again:
LDAPDNS: FREE (GPL) LDAP-BASED DNS FOR EASIER ADMINISTRATION: ldapdns IS WHAT YOU NEED. USE IT BLAH BLAH BLAH
but really: ldap works great. it takes some balls to pull the switch (maybe someone will make it easier), but it is well worth it in the long run.