Slashdot Mirror

← Back to Stories (view on slashdot.org)

BIND Strikes Back Against VeriSign's Site Finder

Posted by timothy on from the checks-and-balances dept.

BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."

21 of 582 comments (clear)

  1. Here is ISC's web page for delegation Only zones by doon · · Score: 5, Informative


    http://www.isc.org/products/BIND/delegation-only .h tml

    --
    To E-mail me, replace the first period in my domain with an @
  2. Re:Yeah, only SPAM, sure. by Anonymous Coward · · Score: 5, Informative
    Actually, you do not get anything at the moment. 64.94.110.11 is currently not responding, no doubt under a deluge of requests. While this isn't such a big deal for those who have mistyped a domain name in their browser, it will certainly cause a hell of a problem for mailers around the globe. Remember that Verisign have set up "dummy" mailer deamons on port 25 to ensure mis-directed mail got bounced immediatly, rather than sit in the mail queue? Well now the mailers can't contact that dummy deamon, and the mail is building up in the queues.

    I hope some large ISP's bring action against Verisign for breaking their email systems like that.

    In the meantime, if you want to help keep Verisigns SiteFinder off the internet, try this simple script in a while loop:
    #!/bin/sh
    function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1
  3. Re:very cool.. dnscache? by Torne · · Score: 5, Informative

    Yep, the patch for dnscache by veteran Russ Nelson is here:
    tinydns.org/djbdns-1.05-ignoreip.patch

  4. Re:Bug your ISP by doon · · Score: 5, Informative
    We are a bind shop, But I know othesr that run Really depends on if you need a Recursive Caching server or just an Authoritive Server.
    --
    To E-mail me, replace the first period in my domain with an @
  5. Patches by achurch · · Score: 4, Informative

    Patches for DJBDNS and lots of other daemons here.

  6. link to patch and example by jcurious · · Score: 5, Informative

    upgrade can be found here:
    http://www.isc.org/products/BIND/delegation -only.h tml

    There is no need to create a com or net data file. Just the
    entries to the named.conf file is enough
    zone "com" { type delegation-only; };
    zone "net" { type delegation-only; };

    Ofcourse, if you use views, this needs to be provided within the relevant
    view (the one performing recursive lookups).

    quote from:
    http://marc.theaimsgroup.com/?l=bind9-users &m=1063 79587928771&w=2

  7. Re:How will this work? by close_wait · · Score: 5, Informative
    I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

    No, the patch doesn't do filtering in that sense. It just allows you to mark some zones in your BIND config file (such as .com and .net), that should only contain delegation information. So basically if your BIND server recieves back A record(s) rather than NS delegation records from a server authoritative for .com , BIND simply ignores it.

    Simple and elegant, and nothing Verislime can do about it. (I hope.)

  8. For TinyDNS / dnscache users by pgregg · · Score: 5, Informative

    Russell Nelson has a patch for tinydns which does the same thing.

    He also notes that several other TLD operators for the same thing and has another patch that allows you to do the same thing to several naughtly tld operators at once.

  9. The new versions of BIND are already available by Raphael · · Score: 5, Informative

    Although the news are not on the BIND page yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).

    You can get the details from the bind-announce list archives:

    All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:

    In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared "delegation-only" will be effectively limited to containing NS RRs for subdomains, but no actual data outside its apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

    Have fun downloading and installing!

    --
    -Raphaël
    1. Re:The new versions of BIND are already available by boojit · · Score: 5, Informative
      And here's a helpful posting on how to use the new patch.

      DaC

  10. Re:very cool.. dnscache? by richard-parker · · Score: 4, Informative

    Does anyone know how to do this with DJBDNS?
    A list of patches for various name servers can be found here.

    Unfortunately the djbdns patch at that URL is not as elegant as the official patch from ISC for BIND. Unlike the ISC BIND patch, the djbdns patch does not support the declaration of "delegation-only" zones. Instead, it adds support for the rather crude technique of converting an A record response containing an operator specified IP address (which you would currently set to 64.94.110.11) into a NXDOMAIN response.
  11. Re:Lot of fuss about nothing by Anonymous Coward · · Score: 5, Informative

    We're not talking about you and your little web browser, we're talking about a major network provider breaking an important network infastructure component in a way which has already started to cause havoc across the internet. At the moment, the server they are using as a catch all is not responding to connections, which means that there "clever" solution to handle mis-directed email doesn't work. As a consequence, mis-directed mail has already started to pill up in mail queues while mail servers waste their time trying to contact the Verisign server.

    Other services are also shit out of luck; Verisign only allowed for HTTP and SMTP. Anything else trying to connect to a non-existent domain is out of luck and will sit around until the connection timesout. Of course, if the server had just returned NXDOMAIN in the first place, as it should, you wouldn't have that problem.

  12. Re:What about the other 20%? by hkmwbz · · Score: 4, Informative

    Read the discussion: 80% runs BIND, what runs on the remaining 20%?

    --
    Clever signature text goes here.
  13. Re:How will this work? by Paul+Jakma · · Score: 5, Informative

    That approach is fucking dangerous.

    Why? Glue records. You are _meant_ to receive certain As from the parent servers of a domain delegated to nameservers which live within its own namespace.

    However, you're missing a crucial part: when you ask the delegating server for the NS records, the glue A records are given out in the additional section, not in the answer section.

    The ISC patch disregards /authoritative/ non-apex data from zones configured as delegate only. however, it can still make use of additional data (ie glue). Glue records are never queried directly AFAIK when a DNS server is sending queries to determine the set of authoratitive servers for a zone, so the patch does not cause any problems.

    --
    I use Friend/Foe + mod-point modifiers as a karma/reputation system.
  14. Re:Lot of fuss about nothing by j7953 · · Score: 4, Informative
    MSIE has been doing this for ages, and I never found it to be a problem, but rather more helpful than the old "404 Not found" messages we used to see.

    You don't get to see a "404 No Found" response if the server doesn't even exist. You'd usually get an error message (generated by IE) that says something like "www.invaliddomain.com doesn't exist." (that's what Mozilla displays, I don't know IE's message).

    The 404 response is what you get when your browser could send a HTTP request to the web server, but the server couldn't find the page you were requesting. The response page is generated by the web server, so how helpful it is depends on what the web server admins have configured. Some pages will not simply return an error message but also include a search box, for example.

    You type junk into an URL and you expect a civilized answer?

    Well, yes, I expect a somewhat helpful error message. But that's not actually the point. The main problem with Verisign's move is that they are assuming (like you seem to do) that the purpose of the Domain Name System is to find the web server that a user is trying to contact when he types an URL into his browser. But DNS isn't used for the web only, it is used to associate names with IP addresses. You can then use the returned IP address for whatever protocol you want, DNS doesn't tell you whether or not the server with the returned IP supports that protocol.

    For all protocols that run non-interactively (i.e. without a human sitting in front of the computer and interactively deciding what server should be contacted next, and interpreting the responses), Verisign's action means that if contacting a remote system fails, the computer can now no longer find out if it's due to a misconfiguration and will likely never work (if the other computer doesn't exist), or if it's just a temporary problem (if the other computer does exist but does not respond).

    --
    Sig (appended to the end of comments I post, 54 chars)
  15. Petition Verisign to change by digitalgimpus · · Score: 4, Informative

    http://www.petitiononline.com/verisign/

  16. I called their number and got this... by mdamaged · · Score: 5, Informative

    I got a rep on the line and he seems oblivious of what was going on, after a bit I got a superviser and she gave me this email telling me that this is where the complaints are going to:

    sitefinder@verisign-grs.com

    --
    Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
  17. Re:It bears repeating by DavidTC · · Score: 4, Informative
    Posting with a +1 bonus to attempt to get people to see this.

    It's amazing how many super cool random people are running around suggesting using OpenNIC, which, of course, won't do a DAMN FUCKING THING. Anyone who suggests an alternate root has demonstrated they have no knowledge of how DNS works at the topmost level.

    Please, someone go around and find all the posts that mention this and moderate them up! I've posted at least three posts pointing this out, and other people have also.

    I'm starting to think everyone should have a few emergency -1: Wrong mod points to get rid of information that is just flatout incorrect.

    --
    If corporations are people, aren't stockholders guilty of slavery?
  18. Re:Yeah, only SPAM, sure. by ncc74656 · · Score: 4, Informative
    everybody, click after me Do not attempt to own us

    Doesn't work for me...then again, I've already fixed djbdns here to return NXDOMAIN when a lookup resolves to Verisign's squatter page. (A copy of the patch is here (the patch isn't mine, but the only place I've seen it is buried in bugs.gentoo.org) and an ebuild for your local Portage tree is here. To use the ebuild, you'll also need to copy Manifest and files/1.05-errno.patch from /usr/portage/net-dns/djbdns.)

    --
    20 January 2017: the End of an Error.
  19. offtopic? i think not. by joe_bruin · · Score: 4, Informative

    i didn't write this the post above, but it is definitely not offtopic. here's a brief rundown of what it does:

    generates a random string of characters.
    performs a "wget" to look up that string as a domain name, and fetch the url returned and dump contents to /dev/null. obviously, this string (with appended .com) resolves to verisign's search page.

    this accomplishes two things. first, or course, is wasting verisign bandwidth. more interestingly, however, it causes dns servers upstream from you to cache the address of all these garbage domains. when their dns cache fills up, they start discarding older entries they have had in there. basically, this is forcing dns servers to constantly flush their caches of any useful data. this, in turn, makes every valid dns query have to cascade all the way down to the root servers. that is, "slashdot.org" is no longer cached in your isp's dns cache, so every user on you isp trying to get to slashdot is contributing to a DDOS of verisign's root servers.

    well done.

  20. Patched BIND is an elegant solution by ayafm · · Score: 4, Informative
    I just installed the patched BIND 9.2.x for NodeWorks so it could keep finding dead links for customer sites. Without this kind of technical solution, I would have had to check for redirects to the sitefinder site, and added specific logic to mark the response as invalid since it would otherwise return a valid 200 HTTP response code.

    The new feature just needed this bit added to named.conf to get it working:

    zone "com" {
    type delegation-only;
    };
    zone "net" {
    type delegation-only;
    };
    When its running, it will put message like this to /var/log/messages so you can see it working!
    Sep 17 12:58:15 proxy named[1130]: enforced delegation-only for 'com' (www.asdfsdafs.com)
    Its really amazing that the open source community can turn around a patch like this within hours of the initial problem being reported! Not only that, but the implementation is clean and technically elegant.