Dan Kaminsky Suggests Having Fun with DNS

boogahsmalls writes "A few weekends ago Dan Kaminsky of scanrand fame presented some pretty cool ideas involving DNS that made plenty of heads spin at the LayerOne Technology Conference. Some of his concepts included Voice over DNS and storing Knoppix in a DNS cache. He's also apparently got a couple new tools in the pipe including a scanrand based DNS scanner and a visualization suite. Could another version of Paketto Keiretsu be in the works?" (OpenOffice.org does a great job of opening the PowerPoint slideshow.)

No thanks,

I'd rather my dns just work.

Nice ideas

but who doesn't have Knoppix in the DNS cache already anyway? Welcome to the 21st century buddy.

Re:Nice ideas

[Vihai]

In soviet russia, Knoppix has a DNS cache... oh nevermind....

use the DNS to store presentations

I'd rather read his slides in binary from IN A records than open powerpoint.

RTFPP?

[Nethead]

Now we have to Read The Fsckin' Power Point?

Re:RTFPP?

[MisanthropicProgram]

Why is the parent flambait?

He does have a point.

Re:RTFPP?

[Masami+Eiri]

And a powerful one, at that... *is pelted with rottern fruit*

Re:RTFPP?

Now we have to Read The Fsckin' Power Point?

No, I think they're asking you to read the fucking power point.
If you wanted to write it in "7337-5p33k", it would have been cooler to say "F5CK1N".

If you just wanted to use the wrong word on purpose, fsck deals with filesystems so has little to do with powerpoint. "the ftmemchk'n powerpoint" doesn't work either because it deals with memory. "the /usr/bin/fixproc powerpoint" isn't funny either.

"the /sbin/fdisk powerpoint" Ooh! That's funny!

Re:RTFPP?

Uh, what's his point. That he knows that fsck rhymes with fuck? If he said "the fdisking powerpoint" it would have been twice as funny, since powerpoint is a windows program.

Re:RTFPP?

[Eideewt]

Yeah, it would have been twice as funny. It's too bad that not being funny twice doesn't make you funny.

Great Article

It's a pity most of the slashdot crowd won't understand any of its technical merits at all.
Mark this as flamebait if you will, but come back in a while and read the comments, I promise there will be hardly any discussion of the paper.

Dan is obviously a very smart guy, I like his ideas about using http tunnel (it's a great program), I'm going to have to give some of these ideas a work out!

Bob

Re:Great Article

[wwest4]

The presentation is intriguing, but like any typical slideshow, lacking in specifics (things like "stuff=cool" aren't terribly telling). Unless you already know the DNS pretty well, it would be hard to infer the nitty-gritty of the talk from this ppt without thinking pretty hard about it, and you shouldn't fault a diverse group of geeks from different nerd realms for not being DNS power users.

Re:Great Article

It's a pity most of the slashdot crowd won't understand any of its technical merits at all.

I think it's a pity that I cannot even read his mertits in the first place due to the format he presents them in.

Anyone care to convert this to HTML, or PDF even, so the rest of us can read it?

Re:Great Article

[Carnildo]

I'd discuss the paper, but it's in a format I can't view.

Re:Great Article

[headisdead]

Cotse have recently been experimenting with some fun in the realm of tunnelling of the SSH kind. Unfortunately they don't have a lot of available documentation on it but scrolling down the notes on the login page should give you a fair idea of what's going on. It's neat and secure and could, with the proxy they've set up, enable an unusually private way of accessing internet services. Other ISPs take note..

Re:Great Article

No, I guess I shouldn't. That was kind of elitest of me and I apologise. It's just frustrating sometimes to see a really good article on slashdot, digging in to hopefully read some good comments about it, and finding people can only post "humourous" stuff or other equally lame stuff. If I don't understand an article, I don't post on it.

You're also right about the powerpoint, it would have obviously been much better for us if we'd been there to hear his presentation. It still gives us a good insight to his ideas though.

Bob

Re:Great Article

no biggie - an apology is surely not neccessary, but surprising (for ./) and admirable.

Re:Great Article

[wwest4]

One thing that is cool about /. is that if you're willing to dig for a bit, there are some crazy-smart people who know the material. There are plenty sympathetic to your lament also.

Re:Great Article

no

Re:Great Article

Whoops... maybe you need to come out of that cave and get yourself a PPT viewer!

Re:Great Article

[sinergy]

Sounds like Cryptonomicon.

Re:Great Article

[Carnildo]

It's not a troll. Right now, I have access to exactly zero programs that can view a PowerPoint presentation.

Re:Great Article

[magefile]

I'd suggest Open Office. If you're on a dialup, and don't want to install several hundred megs, then look at the google cache - it'll have an HTML-ized version.

Re:Great Article

[jovetoo]

His techniques allow someone to set up a cryptographically secure network that most likely completely ignores firewalls. It features high bandwidth-high latency connection, low bandwidth-low latency connections and is virtually untraceable, even to both parties involved in the connection. An initial hostname and time would act as the 'phonenumber'. (By keeping a certain request alive, one can even implement a dailing service with TTL delay.) A message service is freely included.

It is virtually impossible to shut these networks down without replacing/patching dns. Not an easy task.
The bandwidth available to this network most likely exceeds that of most irc-botnets. Especially since the root servers are defending themselves against DDoS attacks.

The tools he's still developing might be able to trace these things but it will still require cooperation of dns server administrators (to get their logs). You will never get them all and you'll have a LOT data to process. Accorfing to this the ICS root server continuosly handles almost 8Mbps (and can handle upto 80Mbps) of traffic. I seriously doubt they can log that... (if so, transferring the logs would continually consume a healthy percent of the servers bandwidth.)

Pretty smart man indeed and very idealistic or shortsighted. Both the right and the wrong sort of people would pay a lot of money for that...

Re:Great Article

Google Cache does ppt -> HTML; for this one, however, note that both text and background are white, so you need to select all to see the text.

I don't have PowerPoint here either... Or OO.o.

Re:Great Article

[rasz]

>Dan is obviously a very smart guy .. and copied DNS and other ideas from others.

Re:Great Article

[rasz]

Dan is obviously a very smart guy

.. and copied DNS and other ideas from others.

Re:Great Article

[aminorex]

Merits? The guy is proposing a system for
conducting conference calls through firewalls
by hijacking DNS servers, and you can use the
term "merits"?

Demerits maybe.

Re:Great Article

Well, you could have filled the rest of us in about its technical merits, if you're worried about people missing the point ...

Re:Great Article

[Glamdrlng]

I'd discuss the paper, but it's in a format I can't view.

Since you apparently lack the bare minimum of resourcefulness necessary to read the file, I'm sure it's our loss that you can't participate in the conversation.

Re:Great Article

[Glamdrlng]

If you haven't checked it out already, Linux Server Hacks also has some fun things you can do with SSH tunnelling, backups over SSH, and X over SSH.

Re:Great Article

[Glamdrlng]

Merits? The guy is proposing a system for conducting conference calls through firewalls by hijacking DNS servers, and you can use the term "merits"?

What you're overlooking is, if Dan could have these ideas, so could someone else. By sharing his ideas publically, he's giving whitehats and blackhats a level playing field.

Consider also, many common auditing tools were once considered blackhat programs. For example, If Mr. Kaminsky had written scanrand in the late 90's / early 2000's, back when port scanning was considered an invasive hacking activity by most, it would have gotten the same treatment. Personally, I think we should thank him for sharing his ideas instead of using them against us.

Re:Great Article

[Effugas]

Freaking Zalewski :-) I hadn't seen this paper. Super cool, it'll help the next version of this speech greatly!

(I directly name Zalewski in one of my apps; believe me, if I had seen this, I'd have credited him.)

--Dan

Re:Great Article

set up a cryptographically secure network that most likely completely ignores firewalls.

If I read that correctly, I think his assumption is incorrect - every corporate firewall (and many smaller firewalls) that I have seen use some kind of split horizon dns with http-proxies that rely on the external dns server to resolve external dns queries. DNS traffic in these set ups never cross from the DMZ into the corp net.

Re:Great Article

[mattyrobinson69]

here you go

Re:Great Article

[jovetoo]

I think you missed the point (or I missed yours).

The DNS tunneling system uses a kind of double bling drop. You drop data into an external dns server by requesting a certain name. You receive data by resolving certain names (and receiving the reply). All these request look like legitimate DNS request to the server (they *are* legitimate requests), you firewall isn't just going to be bypassed, it will happily act as a proxy cache for your data.

The way to detect this for a sysadmin would be inordinarily high DNS load from single IP address (assuming local IP spoofing is prevented). Short messages are probably undetectable.

To prevent incoming data, only allow *all* internal machines to resolv internal addresses. Webaccess needs a proxy and email a forwarding service. Even then it going to be hard to prevent any system that does have external DNS access to being tricked into resolving a name.

Outgoing streams can only be prevented by also prohibiting webaccess and sending external emails. (as you can easily trick these services in resolving names).

All of this, btw, without actually comprimising a single machine.

Re:Great Article

[freqres]

I hope that it's good for a high-latency, low-bandwidth network. Taking care of all these pigeons is killing my IT budget just to implement some stupid RFC.

Re:Great Article

[Eideewt]

I just tell myself that all the fluff makes it more enjoyable when I find a meaningful comment. Sometimes I have to repeat this a few times.

Re:Great Article

[Eideewt]

Haha. Ha. That's funny. I like it.

Re:Great Article

[Smallpond]

Detect this? A single html page can cause 20 DNS requests; I think you would have a very hard time detecting high DNS load. Also, you can't block DNS requests without blocking web browsing, which might upset a few people on your net.

DNS requests aren't logged (too much traffic), and can't do auth because the overhead would be huge. This provides a very effective gateway to steal resources of DNS servers for non-intended purposes.

The worst part of this is that to do anything substantial (like the Knoppix example) that you have to load down a LOT of DNS servers. History shows that once something can be done, it will be done. Email has been made costly and unreliable by spammers, now DNS will be made costly and unreliable by file-sharers.

Re:Great Article

[jovetoo]

A html page is a bad example since it is trivial to prevent this: use a webproxy. This should alleviate the need for DNS resolving at the client system without blocking web access.

No external DNS resolving and use of a mail forwarder and a web proxy is a reasonable hardening of your network against this hack without sacrificing too much functionality.

If you still wish to allow external DNS access, you can (try to) detect DNS bursts. A real-time traffic analyser could be made to do this without (full trafic) logging. Then again this is such an arcane abuse that it is most likely not worth the effort of trying to detect it.

Search Service

[OzPhIsH]

Gee, maybe they could make the results of any unresolved queries forward users to a handy search page, instead of returning an appropriate 'not found' response!

Re:Search Service

[Carnildo]

Gee, maybe they could make the results of any unresolved queries forward users to a handy search page, instead of returning an appropriate 'not found' response!

No, this is the fun sort of DNS abuse -- things like using a DNS server as a covert communication channel, with a data rate of a few bits per minute.

Re:Search Service

[ongeboren]

how is this post funny ?
verisign are willing to redirect all unresolved requests to a website.. no, it's not funny..

Re:Search Service

It's funny because it's written as if verisign didn't try that while we know they did.

Re:Search Service

[RevDobbs]

how is this post funny ?

'cause there's no "+1, Ironic" mod?

... which is not the same as "-1, Moronic", in case you didn't realize...

Re:Search Service

It might be possible to implement a useful search service over dns...imagine url%20encoded%20string.search.google.com resolving to one or more search results...

Re:Search Service

this must be british humor, isn't it?

Another pointless piece of information:

[YouGotServed]

Microsoft Powerpoint also does a great job of opening the PowerPoint slideshow.

Re:Another pointless piece of information:

[cyber_spaz]

Yep, it's funny. But I tried using Microsoft PowerPoint, and couldn't read it. KPresenter was good enough for me to read it though.

(Of course, using an ancient version of PowerPoint (from Office 95) didn't help. But I quit buying MS products some time ago...)

Re:Another pointless piece of information:

[StarCat76]

Yeah, but what dependencies...

Re:Another pointless piece of information:

Actually, I wouldn't bet on that :)

Re:Another pointless piece of information:

[cgenman]

I can see where this is going:

1: Funny retort about clippy, modded +5 insightful
2: Serious post defending Power Point, modded -1 Flamebait
3: Humorous post about necessary height of a post to go over one's head, modded +2 interesting
4: Serious post questioning the connection between wooden posts and the stability of Microsoft Software, modded +2 Funny
Meta comment about the rediculousness of it all: Priceless.

Re:Another pointless piece of information:

[binux]

Meta comment about the rediculousness of it all: Priceless.

You missed - Post about spelling bee champ in tears.

Re:Another pointless piece of information:

Microsoft PowerPoint can read it only under certain conditions (ie. being microsoft customers, etc.). Why would one put discriminatories statement on the headline while OpenOffice.org can work for everyone ? Unless you're a MS-zealot, you should praise that part of the headline, not make fun of it !

Re:Another pointless piece of information:

[nathanh]

Meta comment about the rediculousness of it all: Priceless.

A Slashdotter who can't spell "ridiculous": inevitable.

Re:Another pointless piece of information:

good call, thanks clippy :)

Crazy!

[chill]

Most people are lucky if DNS just works without major headaches.

I could swear BIND and its config file is considered, along with Sendmail, one of the most convoluted programs in Internetdom. It, again along with Sendmail, is historically also one of the most bug-ridden and exploited.

And now someone is suggesting futzing around with it?! Why not just change your domain to "rootmeplease.com" and get it over with?

-Charles

Re:Crazy!

[DarkFencer]

How can you compare bind and sendmail configuration with a straight face?!? Bind is SO much easier to setup then people say, MUCH more so then sendmail.

If you think they are on the same level, you didn't even bother reading anything about either.

Re:Crazy!

[Dwonis]

It's easy. Use djbdns for a little while. BIND stars to look very sendmail-esque after that.

Re:Crazy!

[flonker]

"The sendmail.conf file looks like someone banging there head against the keyboard, after working with it for a while, I can see why."
(Attribution forgotten, if anyone knows, please tell me.)

Re:Crazy!

[wwest4]

There are alternatives to BIND, though the hyperbole about its complexity is a bit extreme... and none of the BIND boxes that I've set up so far have been rooted (knock, knock).

Someday the utility of the DNS as a distributed name resolver will probably wane. Why not toy with alternative uses and recycle all that code and/or infrastructure?

Re:Crazy!

[Carnildo]

Use djbdns for a little while.

A recent Slashdot article (or maybe it was one of the comments attached to the article) pointed out an easy cache-poisoning DoS attack on djbdns. Are you still sure you want to use it?

Re:Crazy!

[Linux_ho]

I could swear BIND and its config file is considered, along with Sendmail, one of the most convoluted programs in Internetdom.

As far as potential complexity in config files go, Bind ain't bad. No worse than Apache, anyway. Comparing BIND with Sendmail is like comparing a bicycle to the Space Shuttle. :-)

tho Sendmail got a lot easier to configure when m4 configuration became available, and lately bugs and patches have been few and far between.

Re:Crazy!

[ideut]

WARNING: Parent post advocates proprietary DJB software! Please disregard the parent post for all the usual reasons. Thank you.

Re:Crazy!

[MerlynEmrys67]

My favorite joke from years ago was

Q: What is the difference between a sendmail.conf file and modem noise
A:

Re:Crazy!

[Feyr]

i have both a djbdns server (for a customer, 1200 domains or so) and a couple of bind ones (~400 domains).

how the fuck can you say djbdns is easier than bind? if i want an A record in bind it's "IN A" (see, easily understood). if you want the same in djbdns it's some cryptic characters that make no sense (and is, of course, undocumented, or was last time i needed it).

now the best part. there's MULTIPLE characters to do nearly the same thing. if i recall a + is a straight A record, and a @ (i think) is an A+PTR

give me bind anytime, it's MUCH easier. though i'm about to move to powerdns or something with a mysql or ldap backend so customers can edit their zones easily

Re: Crazy!

[ldspartan]

URL to that attack? Google nets me nothing, and I try pretty hard to stay involved with djbdns...

--
lds

Re:Crazy!

[murgee]

You're aware that there are tools that come with djbdns that automate a lot of that for you, right? Or am I just missing something about your setup?

Re:Crazy!

[Asgard]

m4 'automates' sendmail configuration too.

Re:Crazy!

[Cylix]

Aye Captain Ideut...

Putting on blinder apparatus as we speak.

Re:Crazy!

[mabinogi]

Nope, I don't care what other software you've used, or how easy or difficult it is. If you say that the Bind configuration is anything like Sendmail configuration in any way then you have not used both Bind and Sendmail.
Myabe you have used one of them, but you have definitely not used both.

Re:Crazy!

Eh? Where did you come up with something like that? DJB has everything neatly documented.

http://cr.yp.to/djbdns/tinydns-data.html

Re:Crazy!

[ideut]

From a purely pragmatic viewpoint, I should point out that there hasn't been a release of djbdns for a little over twelve years. It is therefore extremely unlikely that the product will updated to support SPF+.

Unfortunately for all the DJB-acolytes, this means that djbdns, as well as being proprietary and insecure, will not have a place on the internet from Jan 1st 2005, the day SPF+ will be activated globally.

Re:Crazy!

A record in bind it's "IN A" (see, easily understood).

As in

grep -i " in " file | grep -i " a "

And then hoping that you get it? The problem that there can be multiple spaces between the "IN" and "A"

Now you can say "but that's your problem for writting out 'in a'" and to that I would say that one CANT do this with djbdns and the file written out has to conform to an exact standard.

Re:Crazy!

I think the problem is just that DNS is a pretty convoluted area. I tried using djbdns when I was a hostmaster and that experiment lasted about as long as it took to realise djbdns wasn't capable of transferring our reverse zone-files upstream.

It seemed to me it wasn't capable of setting up any zone with particular ease. Perhaps if you just want a dns cache its useful, otherwise I'll stick with BIND. Yea its tricky to set-up, maybe I'm just used to it but it seems obvious to me, you want an A record, add "host IN A address" to your zonefile etc etc. If you don't understand what a zone or A record is then thats not BIND fault, its yours for not understanding the area you're working in (again if you just want a dns cache then thats fine no need to be a DNS expert).

Don't get me wrong I have full respect for djb, that same ISP used exclusively his email software. Just his DNS idea's are shite while he's the only person implementing them.

Re:Crazy!

[Feyr]

i could care less to grep out all the A records. in the 4 years i've been here i never had a use for that. usually im looking for one well defined domain name (like the MX, mail.domain.com) or an IP address (when changing the IP of a server for exemple).

another toy that sound cool on paper but really isn't that useful

Re:Crazy!

[pyrrhonist]

And then hoping that you get it? The problem that there can be multiple spaces between the "IN" and "A"

And why exactly is this an issue?

grep -i 'in *a' file

Re:Crazy!

[Dwonis]

how the fuck can you say djbdns is easier than bind?

Because I've used both, and after about a week of using djbdns, I found it to be easier to use. (Prior to that, I cringed at the thought of using tinydns-data's configuration format, but it's actually pretty easy once you get familiar with it.)

Re:Crazy!

[mkettler]

I'm not sure which article it was, but perhaps it was referencing this study.

In it someone did phase-space analysis of the PRNGs used in DNS, and combined it with a birthday paradox style attack. In it, an attack on BIND 8 was shown to be 100% likely to succeed, BIND 9 20% and DJBDNS was 30%.

However, if you read the rest of the article, it points out that DJBDNS also uses a strongly random source port for the query, making it significantly more resistant to the attack, as the attacker would have to guess both the query ID and the source port simultaneously. (The two put together have about 1 billion possible combinations. The ID alone only has 64k.)

Unless there's some other DNS poisoning attack I'm unaware of, I think I'd prefer DJBDNS, as it's more resistant than bind 8 or bind 9, despite it's slightly less random output than bind 9.

(Note: bind 9 can be configured to use non-fixed query ports, but you'd need an kernel level random source-port patch to get good security out of this.)

Re:Crazy!

you want an A record, add "host IN A address" to your zonefile etc etc.

Hmmm....perhaps it would be easier if you just had a zone file that allowed records like this:

name1.example.com. 10.1.2.3
name2.example.com. 10.1.2.4
name3.example.com. MX mail.example.com.
mail.example.com. 10.1.2.5

Re:Crazy!

[Bert64]

Firstly, djbdns provides tools such as add-host to easily add hosts to the dns list.. Also, the format has never been undocumented, there is documentation about the format right on the djbdns homepage.. As for multiple characters to do "nearly" the same thing... your saying there are multiple characters to do DIFFERENT (but similar) things.. Are you suggesting that it should use the same character to do different things? how would that work?

Re:Crazy!

[Feyr]

there are tools to modify the bind config file too, that's not the point. your tools won't help one bit if you want to READ the damn file and understand what it does, unless maybe by converting it to BIND format which defeats the whole purpose (also the bind format just happen to be the dns protocol format)

the documentation might have been there, but it sure as hell wasn't clearly linked on the main page of djbdns, as i remember spending an hour or two looking for it on cr.yp.to

as for the multiple characters. i'm suggesting there is only one character to do something, and use two lines to do the two different things. in the end it's much clearer

Re:Crazy!

Sounds more likely that SPF+ will fail, then.

If the most stable DNS servers (even you must admit that if it hasn't needed a service-pack for 12 years, it's pretty awesome), don't support SPF+; SPF+ will fail.

Re:Crazy!

[Electrum]

A recent Slashdot article (or maybe it was one of the comments attached to the article) pointed out an easy cache-poisoning DoS attack on djbdns.

Wrong. dnscache (from the djbdns package) is not vulnerable to poison and never has been. You are probably thinking of previous versions of BIND.

Re:Crazy!

[kelnos]

sure, i'll take a few seconds to feed the troll.

SPF uses DNS TXT records, and doesn't need any special support from the DNS server. djbdns can handle SPF just fine.

Re:Crazy!

[Bert64]

You can use 2 lines if you wish, your free to totally ignore the A+PTR function if you wish, noone is forcing you to use it.

Re:Crazy!

[geminidomino]

if you say that the Bind configuration is anything like Sendmail configuration in any way then you have not used both Bind and Sendmail.

GP prolly got his djbdns trolls and his qmail trolls mixed up.

Nasty Nasty HTML Version

[OverlordQ]

Enjoy

Note: Was converted with *gasp*powerpoint so yes it is horrible :)

Re:Nasty Nasty HTML Version

you asked for it buddy!

Re:Nasty Nasty HTML Version

Not that Dan Kaminsky really would care (at least, I think he wouldn't), but isn't that technically a "derivative work?" Are you licensed to do that? :-)

(Ahh, the irony of the above, given the context...)

Heh

[mfh]

We nerds sure are playful, ain't we? Voice over DNS... sounds like a recipe for disaster, or dollars.

Paketto Keiretsu

[H310iSe]

"Could another version of Paketto Keiretsu be in the works?"

Silly poster, the article's link to Dan's website brings you to the new tools (in "prebuild three"). Can someone please get a .torrent up?

Those are some seriously amazing gadgets in there, but I have to say I've yet to actually, you know, use one in any particular way.... yet I'm excited there are more out! I somehow want to know I could store knoppix in DNS even if I'm not likely to actually do it.

He has an excellent conclusion

[OverlordQ]

Conclusion
Stuff = Cool
More Stuff Soon

This guy is amazing! Where does he come up with this stuff! ;)

Re:He has an excellent conclusion

[MeerCat]

You know, I would have thought that a guy who's most recent blog reads "Site went down sometime last night :-/ Bind has been eating up the CPU for some reason. Need to figure it out. Had to reboot the machine." wouldn't actually be that keen on Voice over DNS etc.

I'm only kidding you, of course... ;^p

Re:He has an excellent conclusion

1. Stuff = Cool
2. More Stuff Soon
3. Profit?!??

Re:He has an excellent conclusion

[A+nonymous+Coward]

Conclusion
Stuff = Cool
More Stuff Soon

This guy is amazing! Where does he come up with this stuff! ;)

Probably from his refrigerator.

Re:He has an excellent conclusion

[wpmegee]

He who dies with the most stuff wins.

Re:He has an excellent conclusion

This guy is amazing! Where does he come up with this stuff! ;)

I think you mean, "Where does he come up with this cool!"

Re:He has an excellent conclusion

He who dies with the most stuff on credit wins.

Re:He has an excellent conclusion

He's a donkey raping shit eater.

Where do I come up with this stuff?! (southpark joke)

Win2k DNS

[An-Unnecessarily-Lon]

I run a Win2K DNS server on base for our primary. With IPsec policy and Router ACLs the box is very stable and robust. I am kind of wondering why people have such problems with DNS. I am sure A linux DNS box would work superb too but I dont know. Anyone clue me in?

Re:Win2k DNS

Worst troll in a long time twit.

Re:Win2k DNS

[MisanthropicProgram]

Or...maybe he really doesn't understand. You see, kiddo, those of us who've been in this business for a decade or longer know that you can't know everything. Those who say they know everything or are experts are mistaken or lying. This biz is just too large and diverse to know everything.

In other words kid, don't fuck with us old guys or we'll show you who knows shit!

Re:Win2k DNS

To be fair, there are a fair number of younger guys that know their stuff and realize they can't know everything. But not very many, and they're usually in their upper 20s.

You also see this a lot when you read résumés and interview people, because you can really tell the younger, inexperienced people (and consultants) from the older ones. The more crap someone has on their résumé the more suspicious I become, and the more I start asking questions to see how deep the knowledge goes. When people start getting their facts messed up you start seeing that their knowledge is an inch deep. Knowing a little bit of everything != their advertisement of knowing everything.

On the other hand, it's nice to see people shooting their mouth off, because you know who not to associate with/hire/etc.

Sorry for the AC post, but this is somewhat OT.

Re:Win2k DNS

[silas_moeckel]

OK this is pretty OT as well but I'll have to agree to many people have no depth. But in reviewing a canidate it's generaly better to try and figure out how quickly they can get some depth. And knowing a little bit of everything and being able to go deaper quickly can make you a great CTO :) or consultant (IE not a temp staffer being called a consultant)

Re:Win2k DNS

[mabinogi]

I honestly don't know either. But apparently DNS is hard, even when you're using W2K.
I've never figured out how one of our network people was able to ACCIDENTLY add an NS record for one of our web servers instead of an A record, and I've definitely never figured out how it is that they couldn't understand what the problem was or how to fix it. They use Win2K on the DNS servers.

If it'd been Bind, they wouldn't have made the mistake in the first place, because there is no way you would accidently type "NS" instead of "A". Not to mention the fact that they probably wouldn't have attempted to make the change, and would have waited until the person who knew what he was doing was back.

I'm assuming that the person in question randomly clicked stuff until he had somewhere he could put a server name in....

Re:Win2k DNS

Yes, the ability to learn is important. But just as important is the ability to say "I don't know." If there are two candidates where I feel that either has the same learning capacity, but one is more honest about their skills, I'll pick the more honest one because I know where they stand. I have enough know-it-all-can-do-everything-bow-before-me types around me already who manage just to make more work for me later when they couldn't actually do what they said they could do. And firing people is at best unpleasant.

Re:Win2k DNS

It doesn't help when there are idiot companies with requirements like "C# / .Net (4+ years);" on their must-have requirements.

SPF and SPF+ work over DNS

[ideut]

Dan isn't the first one to suggest novel new applications for the DNS. Many will also be familiar with SPF, the "spam permitted from" framework for defining permitted email senders. Microsoft have recently taken over the standard process and are proposing for the sender permission rules to be sent in XML format over DNS!

The open source community's response so far has been SPF+, which is essentially a technique of encoding the rules in TCL, which is served over DNS and executed on the mailserver. For obvious reasons, SPF+ will probably define the future of spam control on the internet.

Re:SPF and SPF+ work over DNS

[sharkey]

Cool! Remember, dermatologists recommend at least SPF 15, applied regularly to exposed skin, when you are out in the sun.

Re:SPF and SPF+ work over DNS

[Effugas]

Hmmm. We've been hearing about agent technology / mobile code for years, and not only has its functionality been a bit sketchy at best, but its security is a nightmare. Note -- you can't post Javascript on Slashdot or PHP within common forums, and there's a reason.

Putting TCL in DNS as a commonly used standard is a bit worrisome -- you'd have programmatic access to an execution context within any mail server. Not rejecting the idea outright -- but what are the functionality gains that justify such an outright expansion of remote access to untrusted parties?

--Dan

Re:SPF and SPF+ work over DNS

[Bombcar]

I can't believe that people mod this interesting.

Read the D#$%$@#M links, people! You've been meta-trolled!

Ideuts.

Some of this stuff really makes alot of sense

[mcrbids]

Forget the current legal nightmare of this proposal - just roll with me...

This guy proposes putting content (eg Knoppix) into DNS.

Why is DNS particularly not well suited for this kind of distribution mechanism?

Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.

I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...

DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?

Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.

Where's the bad part of this idea?

Re:Some of this stuff really makes alot of sense

I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...

They've always had one. It's called usenet

BTW, the MPAA and the RIAA are different.

Re:Some of this stuff really makes alot of sense

[markov_chain]

Content would probably get cached better with BT than DNS because of the dynamically constructed network topology. The caching in DNS works as well as it does because it happens along the domain name hierarchy (duh). The default topology probably wouldn't be very efficient for content.

Further, DNS would need to be upgraded. There is a good reason that short-term, experimental applications are better done at the ends; read the End-to-end arguments in system design for further insights.

Re:Some of this stuff really makes alot of sense

[kryptkpr]

Where's the bad part of this idea?

1) I think the requirement for caching sets of 4 byte IP addresses and 4 GB movies are quite different. Just because a system is good at one, doesn't mean it will automatically be good at the other. When I RTFA, the author made it quite clear that there was a 512-byte packet size limit, of which only around 50% could be useful for actual data. By the author's own estimation, it would take 35,000 DNS servers to host a single 700mb Knoppix image.

2) DNS is already an overloaded system, and his idea uses recursion, so it would place even more load on top of it.

If you think this is going to replace BitTorrent, you're off your rocker.

Re:Some of this stuff really makes alot of sense

DNS wasn't made for distributing movies. And it shouldn't be abused, the right tools for the right job. If you want to distribute large files then take a look at freecache.

Re:Some of this stuff really makes alot of sense

[abertoll]

The problem is DNS isn't THAT distributed. Each query has one authority. Also, what kind of TTL do you put on a Knoppix CD?

I think the single point of failure is the biggest problem with using DNS as a way of distributing large amounts of information. It really DOESN'T make sense to do this with DNS when you can design something "like DNS" only more distributed.

Re:Some of this stuff really makes alot of sense

[photon317]

DNs is really, really, not designed for these types of payloads. You'd be far better off using a heirarchy of squid web caches than the DNS system for mass distribution of media.

Re:Some of this stuff really makes alot of sense

[Bagheera]

Forget the current legal nightmare of this proposal - just roll with me...

Were that we could...

Why is DNS particularly not well suited for this kind of distribution mechanism?

Because DNS is designed to handle its hierarchical data, not massive amounts of content? The extra fields available in DNS are there fo, well, DNS related stuff.

Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.

I know you meant the MPAA, not the RIAA, but I think their biggest problem will be letting go of their deep seated need for control, rather than bandwidth. They can afford the pipe. And I, for one, would be incredibly pissed off to find the RIAA (or any other commercial service) caching their stuff on MY name server.

I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...

Like, say, USENET?

DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?

We do. Millions of times a day. We use it every time we translate a name to an IP number. Looking up, say www.slashdot.org

Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.

Highly unlikely. A highly effecient system dedicated to caching content will almost certainly be better than trying to do the same thing with DNS. It's simply not made for it.

Where's the bad part of this idea?

Inefficiency. Load on already stressed servers. Better existing solutions. Should I go on?

Dan's come up with some brilliant ideas over time. Definately A Geek's Geek. But this one sounds a lot more like one of his thought experiments than an actual proposal. Like directly burning CD's over an SSH tunnel...

Re:Some of this stuff really makes alot of sense

[strabo]

DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?

What part of the word lightweight don't you understand?

Re:Some of this stuff really makes alot of sense

[Effugas]

It is indeed a thought experiment -- but one that's led to some interesting stuff. Voice over DNS was actually a really surprising hack -- here you have a globally deployed caching system, sometimes several levels deep, that actually has the capacity to host the minimal bitrate for a minimally compressed voice link.

There's millions of servers out there that we can interface with -- what's the impact of that? If nothing else, it's fun to be playing with something other than TCP headers :-)

--Dan

P.S. A broom can be used to sweep the floor -- or to knock something out of a tree, or to scare off a wild animal, or to burn for heat. There's something to be said for separating common uses from "inherent purposes". HTTP was certainly never designed to host as much dynamic content as it does now!

Re:Some of this stuff really makes alot of sense

[ptr2void]

But I do burn CDs over an SSH tunnel?!

Re:Some of this stuff really makes alot of sense

[RAMMS+EIN]

``HTTP was certainly never designed to host as much dynamic content as it does now!''

Nor was it intended to do sessions (think webmail), and it doesn't do a very good job at those. RPC over HTTP (useful for interactive applications) is even worse; the HTTP headers can easily outweigh the payload. A stateful protocol (like FTP) would be a better fit for those uses.

Re:Some of this stuff really makes alot of sense

[mattyrobinson69]

ssh -X you@remotehost k3b

(if you use k3b obviously, and i couldn't be arsed looking up cdrecord's command line switches)

Re:Some of this stuff really makes alot of sense

The idea is to put the BT trackers in DNS... not the whole file.

Re:Some of this stuff really makes alot of sense

I assume you've seen the ideas to put the BT trackers in DNS.

I'm curious if/how this relates to the Knoppix in DNS idea you had.

Sorry I don't understand the tech details well enough to figure this out on my own.

Re:Some of this stuff really makes alot of sense

[clacke]

What part of the word lightweight don't you understand?

e.

Re:Some of this stuff really makes alot of sense

[Effugas]

BT is more small-data -- one to ten packets through the architecture.

My thought experiment was -- how can we efficiently place an arbitrary amount of data in the DNS? The answer is to not respect the heirarchy ourselves but to simply distribute the chunks, scattershot, across large numbers of servers.

--Dan

PDF Link

[kryptkpr]

PDF Conversion of powerpoint presentation

On my ISP's very fast webspace, but please post mirrors in case they decide to pull the plug.

Re:PDF Link

[zsau]

http://freecache.org/http://www.mountaincable.net/ ~krypt/bo2004.pdf

Re:PDF Link

[kryptkpr]

Not another one of you people.

Please read the FreeCache FAQ:

We don't bother with files smaller than 5MB, as the saved bandwidth does not outweight the protocol overhead in those cases.

I know how to make a freecache link all by myself, but the PDF is only 1mb.. that's why I asked people to mirror it. It's too small to bother with a torrent, too small for freecache, but just the right size to throw up on your ISP webspace.

Re:PDF Link

[zsau]

Ah. Okay. Don't I feel silly now?

I would've put it on my webpage, but I don't have enough bandwidth...

Re:PDF Link

[Lars+T.]

Why don't you cache it in some DNS servers?

Put up or shut up.

[DAldredge]

http://cr.yp.to/djbdns/guarantee.html

The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.

Examples of security holes:

* Buffer overflows allowing attackers to take over DNS caches, such as the NXT bug in BIND before 8.2.2-P4 (1999), or the TSIG bug in BIND before 8.2.3 (2001), or the SIG bug in BIND before 4.9.11/8.3.4 (2002).
* Buffer overflows allowing attackers to take over DNS servers, such as the IQUERY bug in BIND before 8.1.2-T3B (1998).
* Buffer overflows allowing attackers to take over DNS clients, such as the CNAME bug in BIND's libresolv before 4.9.9/8.2.6/8.3.3/9.2.2 (2002), or the getnetbyname bug in BIND's libresolv before 4.9.11 (2002).
* Buffer overflows allowing attackers to take over DNS utilities.

Examples of problems that do not qualify:

* Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
* The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
* Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

My judgment is final as to what constitutes a security hole in djbdns. Any disputes will be reported here.

Re:Put up or shut up.

[Carnildo]

http://cr.yp.to/djbdns/guarantee.html

The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.

Examples of problems that do not qualify:

* Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

Says it right there. It's a DoS attack that, by means of a series of specially-selected queries, forces worst-case behavior out of the caching algorithm.

Re:Put up or shut up.

Either you're both saying the same thing, or soembody is confused. What, are you going to stop using DNS altogether because it can be poisoned?

Re:Put up or shut up.

[DAldredge]

You used a flaw in the DNS protocal as a reason not to use a specific piece of software when, it appears, that the flaw you are bitching about can harm ANY DNS server.

Re:Put up or shut up.

It sounds like you are talking about this paper. djbdns is not vulnerable.

Where's the innovation?

[Have+Blue]

DNS is just a pervasive and well-organized caching broadcast protocol, isn't it? Right now, all it's been used to transmit is mappings of ASCII strings to IP addresses, and ancillary data related to that. Why is using it to transmit anything else particularly innovative? We didn't see this much enthusiasm when someone figured out how to send Knoppix over HTTP or Usenet.

Re:Where's the innovation?

Why is using it to transmit anything else particularly innovative?

Yeah, I'm sure you wouldn't be saying that if you came up with this idea first!

Re:Where's the innovation?

[Have+Blue]

You're right, I wouldn't, because I would have realized that a protocol and the data it carries are separate and interchangeable, and making a new combination from an element of each category is not innovation. And I doubt I would have come up with this idea in the first place, because there are already far better platforms for data requiring large amounts of storage or real-time delivery.

Re:Where's the innovation?

[Effugas]

Putting data in DNS -- not new, I say that very early and often. What is sort of new is the idea that you can connect to many, many servers to amortize the download speed across Internet-scale networks, using their caches as short but useful term storage devices.

Also, short term caching allows for unexpectedly useful distributed voice transmission.

--Dan

Dude...

[MisanthropicProgram]

someone just modded us "Offtopic". How bogus is that !?

I tell ya, new modderators! They don't know shit!

Sticking Knoppix distro in a DNS cache....

[NemosomeN]

Discussed YEARS ago with the possibility to sticking the source of DeCSS into a DNS cache (Among other things). I would put the source in an HTML comment here, but alas, no comment tags.

Re:Sticking Knoppix distro in a DNS cache....

This great site explains how to legally (?) obtain DeCSS from it's self-proclaimed "owner", the evil and sadistic MPAA, amongst other things:

http://decss.zoy.org/

PDF version

[Dwonis]

The PDF file (created using OpenOffice.org) is here (8.7 MB .torrent).

Re:WTF Is This?

[EdMcMan]

Once reading the article you would understand.

If you put the presentation in DNS it would not be a problem.

bad part of the idea

The DNS Servers are there for DNS, not files. They are not written or stress-tested as fileservers. DNS requests and responses are small chunks of data. It would be sorta bad if people sending 600 meg isos through the dns system, you know, kinda, broke DNS.

Off-topic? Hardly.

[nacs]

Some of his concepts included [...] storing Knoppix in a DNS cache.

In Soviet Russia, Knoppix caches DNS!

Oh wait...

anybody remember DNS MUDs?

[andrewagill]

You used to be able to play a text adventure game with DNS:

]$ nslookup - hastur.rlyeh.net
> set querytype=txt
> set domain=adventure
> 1

Alas, hastur has been down since around 1998, but you can still live the magic if you believe in yourself!

dangerous ideas, just think of akamai dns problems

Dan's got some interesting ideas, I'll grant you. But considering how scanrand has toasted network equipment I've run it against in the past, I don't think I'm too keen on his take on this. The tunneling angle is interesting, but when he gets to content distribution - it starts to look like a DNS stress tester more than a useful application, and considering how akamai got hosed for a bit last week, I sure hope that not many people play around with Dan's ideas unless they have a clue as to what they're doing. Needing 35,000 servers to xfer 700MB's of data at a reasonable speed is NOT an interesting hack, but it sure sounds similar in some principles to a mass DDoS.

Yea baby!

[stienman]

Ok, so let's do this:

We've got the Kaminsky protocol connected to the
DNS protocol
the DNS protocol's connected to the
UDP protocol
The UDP protocol's connected to the
IP protocol
Oh hear the word of the inefficient!

The second verse is left as an exercise for the reader. Please keep in mind that writing another verse is somewhat more productive than implementing the aforementioned Kaminsky protocol.

-Adam

Re:Yea baby!

[cant_get_a_good_nick]

"There's no problem in computer science that can not be solved by using another level of indirection, except for too many levels of indirection"

-- Unknown

well, I skipped installing...

[zogger]

... open office this distro go around, because I realised in all the previous distros I never used the thing, not once, and it's hundreds of megs, a simple bear to keep upgraded on a dialup, etc. I made a few test pages and looked at it before, ok it looks like an office suite to me, but as I am not going to school, nor working in an office, etc, I can get by with any text editor out there for my writing needs. If it needs to look purty I know just enough html to be dangerous......

SO, to get back to slashdot reality, for those of us who can't see the power point, what are a few of the highlights and new and shiny ideas, if you would please and thankyou, and then folks can discuss it instead of just cussing it with no idea what's going on. OK, basic stuff I got the cliff notes version down: DNS, domain name service, translates words into numbers so ye olde browser or whatnot can get from here to there on the intarweb. The numbers are assigned by various poobahs with political overtones anc controversy, but it apparantly works. Someone gets money for doing this,because they sayso, and there's a few dozen whopper boxes sitting in nuclear bomb proof bunkers someplace that are the motherlode of rip snortin rootin tootin routin ability and all they do is DNS action when they aren't putting the moves on the female robots hanging around the bunkers or playing poker.

And so on.

So... what's next?

Holyshit..

[MisanthropicProgram]

someone just modded' me as flamebait for speaking my mind and for speaking out about modderation....
Just keep this in mind when John Ashcroft and fuckers come after us!

Oh wait! I am one of those fuckers.

Re:Holyshit..

[MisanthropicProgram]

I'm really impressed if a Mod gets tis far down. And when I Med Mod I'll be sure to keep it in mind.

Or even better...

I'm thinking... How about implementing this cool feature into IPv7 that lets us have a globaly distributed AII??

Wouldn't that be something..

Ob Finding Nemo

[sharkey]

INTERVENTION!!!!

Come on /.ers! We have to save YouGotServed from the terrible fate he's heading for.

protocol inversion

[drxyzzy]

I don't get it. It sounds like another protocol inversion:
UDP over DNS. OTOH we have seen IT managers solemnly accepting
RPC over HTTP (SOAP) and TCP over HTTP (Web Services). ;-)

Whee, Slashdotted

[Effugas]

You know that whole thing, where you come back from a trip to Vegas only to see a metric ton (expletive removed) of work sitting in your inbox?

Hi. Ask questions, I'll reply and eventually integrate into the Doxpara home page.

--Dan

Re:Whee, Slashdotted

Damn poetic justice.

I'm gonna save this post and bring it out on special occasions.

I dunno about SCO anymore, but the mods around here really are smoking crack!

Neat idea by the way.
I think most people have decided this is just a fun thing to think about, but not to impliment.

I liked reading about the DNS MUD a little further up, and gives some ideas about "prior art" :P

Re:Whee, Slashdotted

I also think people didnt get the connection between your user name and your real name.

Slash should allow a yearly nickname change. Nothing too frequent, but allow modifications and adjustments.

You have no idea how appropriate this is

[Effugas]

Lets watch how the initial implementation of SSH over DNS works:

SSH connects to HTTPtunnel's TCP proxy, which converts TCP to HTTP (another TCP protocol, but record oriented with all sorts of limitations). These HTTP packets are then captured by a DNS translator, which sends the packets out over UDP. The UDP packets route across the net, themselves encapsulated in IP, MPLS, and Ethernet, potentially bouncing off a local DNS server. They arrive, are decapsulated more times than I can count, and are eventually given to an SSH server.

Now, the SSH client opens up a SOCKS daemon, and uses it to direct port forwards on the faraway SSH server. For those keeping score, to achieve this VPN, we've used:

SSH
TCP
HTTP
DNS
UDP
IP
MPLS
Ethernet ...all at the same time, just for a simple encrypted session across the very wide Internet.

Bonus points if you realized you can bounce off all the DNS servers out there, meaning the outgoing packets in the SSH over DNS link are potentially spreadable in arbtirary directions like so many dandelion seeds... :-D

--Dan

Re:You have no idea how appropriate this is

[dlb]

Um, So?

You talk like multiple layers of encapsulation is something new. This just reeks of yet another way to dodge The Man and hide your filesharing traffic.

And by the way, I categorize somebody potentially using my internet facing DNS servers for covert file transfers in the "abuse", not "cool" category.

The only good that could come out of this is to force some sort of validation of your dns cache so it's truely a name resolution cache, and not a cache of pieces of some chump's favourite dvd.

What's next? Voice over VRRP?

Re:You have no idea how appropriate this is

[Effugas]

Well, there are two kinds of people in the world -- those who see SOCKS over SSH over TCP over HTTP over DNS over UDP as neat, and those who don't.

The DNS backchannel through a firewall, by abusing the heirarchy, is a real problem.

--Dan

Re:You have no idea how appropriate this is

[dlb]

Weird bionic encapsulations are 'neat' until you're the one trying to justify the bandwidth bill.

It's neat until you've gone into the next higher pricing bracket because someone decided to piggyback a bunch of other protocols on top of dns to your external name servers. Aside from breaking rfc, or causing a self-inflicted DOS, there isn't much you can do about it.
(On the other hand, this is a prime example why allowing recursive DNS requests externally is a bad idea.)

What I think is neat is stuff that's going to save me bandwidth, not increase freeloader traffic.

"DNS backchannel through the firewall" is addressed by sensible design and a good security policy.
Wrapping a server around an enforcement point like you described in your presentation is horrible design; any nutcase that implements that solution deserves problems.

~dlb

Re:You have no idea how appropriate this is

[Effugas]

I did load balancing stuff last year; created this entire system whereby a central distribution node could have its outgoing traffic actually brokered across any number of volunteering other hosts that would spoof the outgoing traffic. ACKs would come back to you, though, so you'd get K/s figures on data streams you couldn't even see.

Turned out I had just reinvented some stuff from a few years back, Alteon did similar things with dedicated hosts. There's actually some neat load balancing stuff w/ DNS involving race conditions (which DNS reply or SYN|ACK makes it to the customer site first) but Radware's done alot of good stuff here. Ultimately, load balancing is pretty mature...DNS tricks surprisingly aren't.

Ultimately, yeah, the massive amount of open recursive caching servers is probably bad.

--Dan

Troll.

Poor attempt at trolling, sir.

Um, you can save it out as SXI...

...or HTML using OpenOffice Impress. I'd have already done it but my bandwidth doesn't like incoming slashalanches.

My problem would be that slideshows generally have pretty minimal content. Using them as a framework is great, because it makes the live presentation more interesting, but it does make for a fairly shallow document.

Great ideas!

[metamatic]

DNS is the essential infrastructure required for almost all Internet applications to function correctly... so let's fuck with it and create some cool hacks, and use it to implement stuff that's already been done much better using other protocols! I mean, what could possibly go wrong?

Slides 1-10 of 44, and /.'s lameness filter sucks

[leonbrooks]

This paragraph is random crap to keep that fscking lame slash lameness filter happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements.

This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements.

Black Ops 2004 @ LayerOne

Dan Kaminsky

===page===break===

Introduction

• Who am I?
  • Senior Security Consultant, Avaya Enterprise Security Practice
  • Author of "Paketto Keiretsu", a collection of advanced TCP/IP manipulation tools
  • Speaker at Black Hat Briefings
  • Black Ops of TCP/IP series
  • Gateway Cryptography w/ OpenSSH
  • Protocol Geek

===page===break===

What's On The Plate for Today?
/* char descrip[256] = "You'll see"; */

===page===break===

What is DNS

• DNS: Domain Name System
  • Mechanism for translating human-readable names into machine routable addresses
• "Like 411 for the Internet"
  • As 411 usually but not always yields simple phone numbers, DNS usually but not always yields IP addresses
  • A: Given name, find IP
  • MX: Given name, find Mail
  • PTR: Given IP, find name
  • TXT: Given name, find "stuff"

===page===break===

"Useful" Traits of DNS
(Very Very Abridged)

• Hierarchical
  • .com says where to find addresses in .doxpara.com, and .doxpara.com says where to find addresses in foo.doxpara.com
• Recursive vs. Iterative Lookups
  • Iterative Lookup: Ask a server a question, it tells you where to go to find out the answer
  • Recursive Lookup: Ask a server, it goes out and finds out the answer for you, and tells you
  • It queries the hierarchy - which you may control

DNS?

[vuo]

"Dan Kaminsky Suggests Having Fun with DNS". (...) I wonder when someone messages in that in their school/city/country/homeworld the letters "DNS" stand for Darn Naughty Schoolgirls or something similar. It'd be interesting at least.

Re:oh wow!

[Dwonis]

"OpenOffice.org" is the name of the office suite. www.openoffice.org is the name of the website.

Dan Kaminsky

[Glamdrlng]

After taking a look at Paketto back when he wrote it up, and now taking a look at his work here, I think I've figured out his MO:

1. Surround self with RFC's for core internet protocols.
2. Ingest large quantities of something very hallucinogenic, yet not very legal.
3. Give the RFC's the Fruit Fucker 2000 "rode hard and put back wet" treatment.
4. Put together a group of proof-of-concept tools that make intelligent people who have worked in networking for years say "Shit, just when I thought I knew this stuff!" Oh, and profit.

Re:Dan Kaminsky

[phiz187]

After taking a look at Paketto back when he wrote it up, and now taking a look at his work here, I think I've figured out his MO: 1. Surround self with RFC's for core internet protocols. 2. Ingest large quantities of something very hallucinogenic, yet not very legal. 3. Give the RFC's the Fruit Fucker 2000 "rode hard and put back wet" treatment. 4. Put together a group of proof-of-concept tools that make intelligent people who have worked in networking for years say "Shit, just when I thought I knew this stuff!" Oh, and profit.

+1 insightful -PHiZ

well... thanks

[zogger]

I was able to later on get to one of the mirrors. Appreciate the effort! I don't pretend to understand most of it, but I gathered a little. It seems... convulted and a lot of effort for little return, except in the *obscurity* of it. I can't see it being used for a whole lot despite variations on this:

*
o Rumors of various botnets / malware using DNS as a covert channel

--true stuff? Might explain some of the weirdness going on.

Re:oh wow!

[Wedge1212]

I really hope you're a wise ass :)

Parent is a troll linking to a troll

[jensend]

If you read the linked email and the replies to it, you will find that the linked post is a troll. For real information about SPF, visit spf.pobox.com.

whoops, one more

[zogger]

mashed post instead of preview as I waw collecting my thoughts. By "weirdness" I had heard twice now, since two years ago, that banking systems in particular have been compromised and it's ongoing and they haven't been able to stop it. The technique was allegedly able to go through firewalls because it was *requested*. I didn't understand it then and I don't know but it sounds like this deal in the article sliding in under the name server.

Trollin trollin trollin...

[Glamdrlng]

Or...maybe he really doesn't understand.

That could be, but this post gets a very high TrollAssassin score from me. It's not that everyone should be an expert in everything, far from it. It's just that this post fits the troll profile a little too well. Let's do some analysis shall we?

First, we must keep in mind the motivation of the troll. The troll's mecca is getting people in a dicussion to waste their time by posting an insincere dumb statement/question that is sure to elicit heavy response. Let's break the message down:

I run a Win2K DNS server on base for our primary.

Right off the bat here are three things likely to set slashdotters off. #1, he's using a windows box. #2, he's using it for a military installation. #3, he's telling us about it. The first sentence alone is enough to condemn this post to trollhood.

With IPsec policy and Router ACLs the box is very stable and robust.

First off, this is not the language of someone who works in IT operations. Second, one wold hope that a server on a military installation is protected by more than a weak host-based firewall and some router ACL's. And again, these are not things that someone in a military IT group should be posting about.

I am kind of wondering why people have such problems with DNS. I am sure A linux DNS box would work superb too but I dont know. Anyone clue me in?

Here's the incriminating evidence. With a line like this, the only way this post could be more of a troll is if it guarded a bridge and demanded a toll of those who crossed it. Note the feigned cluelessness, wondering "why people have such problems with DNS". Dude, you can't work for a year in IT and not run into DNS problems somewhere along the line. Then there's the schmoozing: not even the most evangelical linux zealouts would use the word "superb" in this context. And note the final plea for dialogue: "Can anybody clue me in?" This is someone fishing for replies/controversy, and maybe even a little karma. Everyone who replies to this post (including myself, though I'm replying for my own enjoyment as well) has a great big fish hook in his/her mouth; we got caught, hook line and sinker.

Troll! Mod down you stupid mods!

Gah, read the contents of the link before giving him mod points.

djbdns violates multiple RFCs

[SuperBanana]

Use djbdns for a little while. BIND stars to look very sendmail-esque after that.

...and djbdns starts to look very non-standards-compliant.

Re:djbdns violates multiple RFCs

[Dwonis]

Care to back that up with facts? Interestingly enough, you might want to look at this page.

In any case, if you don't like how djbdns behaves by default, you can always go to http://tinydns.org/ and see what's available.

Re:djbdns violates multiple RFCs

The first linked page above states the following:

The simple truth of the matter is that the RD bit is a useless piece of frippery, a mistake in the design of the DNS protocol, and DNS softwares should simply ignore it, whatever it is set to

This is incorrect. More information

Re:djbdns violates multiple RFCs

[Dwonis]

The RD bit *is* a mistake in the design of the DNS protocol. There's no reason why an authoritative name server and a recursive resolver need to run on the same (address, port) pair. That BIND does this is not an excuse.

The use of the RD bit is nothing more than a hack to work around the problem of having NS records pointing at recursive resolvers. Even then, a recursive resolver cannot rely on the use of the RD bit to break recursion loops: if it did, then a remote DoS attack would be extremely trivial.

That makes the RD bit a useless piece of frippery.

(Sorry if my explanation is a bit short. I'm a little without-sleep at the moment.)

Only on Slashdot

Continuous complaints of ever-decreasing freedoms and the want for a free and open society.. but continued enforcement of groupthink.. anyone who thinks independently and outside of the group must be a troll and calls for that person to be censored are rampant.

Interesting contradiction of values here.

Re:Only on Slashdot

[Glamdrlng]

So you're telling me you think that post is genuine, and not someone trolling? OR are you subscribing to antigroupthink and posting against it without a second thought?

Anonimity is just starting...

[ControlFreal]

a DNS-based network could provide a high-latency high-bandwidth madium. Just think about where you heard those two properties before: Freenet! A DNS based freenet might be very hard to stop indeed!

OFFTOPIC? I WROTE THE SLIDES :-)

[Effugas]

Wow.

Parent is a offtopic linking to a offtopic

Why on earth might an article flaming someone elses post and talking about spam filtering have been modded informative?

Dan's article had to do with different protocols over DNS. Everyone (yes, including the SPF) guys knew that you can use DNS to look up info. Fewer people knew you could set up bi-directional protocols over DNS.

Let's all mod the whole darn SPF thread offtopic.

The whole presentation

[mrogers]

This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it.

----------------
Black Ops 2004 @ LayerOne
Dan Kaminsky
----------------
Introduction

Who am I?

Senior Security Consultant, Avaya Enterprise Security Practice

Author of "Paketto Keiretsu", a collection of advanced TCP/IP manipulation tools

Speaker at Black Hat Briefings

Black Ops of TCP/IP series

Gateway Cryptography w/ OpenSSH

Protocol Geek
----------------
What's On The Plate for Today? /* char descrip[256] = "You'll see"; */
----------------
What is DNS

DNS: Domain Name System

Mechanism for translating human-readable names into machine routable addresses

"Like 411 for the Internet"

As 411 usually but not always yields simple phone numbers, DNS usually but not always yields IP addresses

A: Given name, find IP

MX: Given name, find Mail

PTR: Given IP, find name

TXT: Given name, find "stuff"
----------------
"Useful" Traits of DNS
(Very Very Abridged)

Hierarchical .com says where to find addresses in .doxpara.com, and .doxpara.com says where to find addresses in foo.doxpara.com

Recursive vs. Iterative Lookups

Iterative Lookup: Ask a server a question, it tells you where to go to find out the answer

Recursive Lookup: Ask a server, it goes out and finds out the answer for you, and tells you

It queries the hierarchy...which you may control

Caching

Responses contain a TTL - Time To Live - within which future requests don't require another message to be sent
----------------
Primary Research Areas for DNS

Exploitation

1999-2000 were filled with exploits against BIND, the most common DNS server

Not terribly vulnerable now

DNS Spoofing

Returning false addresses = hijack people's outgoing net connections

DNS Tunneling
----------------
DNS Tunneling [1]

How
Client -> Server

What's the information for BATCH-OF-ENCODED-DATA.doxpara.com?

Server -> Client

The information? Why, it's "HERES-THAT-DATA-YOU-WERE-LOOKING-FOR"

Why?
DNS is extremely permeable - it will route through architectures where often nothing else will

Captive portals for Wireless Internet

"More" ;-)
----------------
Starting Simple:
DNS Tunneling [0]

Who?
NSTX most popular

Creates a "virtual network device" that routes IP (actually, Ethernet frames) over DNS

Linux Only

Rumors of various botnets / malware using DNS as a covert channel
----------------
DNS Tunneling[2]:
Entering Userspace

Starting "Simple"

NSTX requ

OK, where's the "+1 Informative" mods?

[leonbrooks]

Don't have any to hand, and I've already posted. Volunteers?

Whatever

[pklong]

I only posted this for the karma

Cracking Contests Not Useful

[bill_mcgonigle]

The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.


Bruce Schnier has written about the value of cracking contests. Executive summary: the don't prove much.
His essay was focused on cryptanalysis at the time but since then Bruce has seen the light - principles that apply to cryptography narrowly apply to security broadly.

In excerpt:

I can offer $10K to the first person who successfully breaks into my home and steals a book off my shelf. If no one does so before the contest ends, that doesn't mean my home is secure. Maybe no one with any burgling ability heard about my contest. Maybe they were too busy doing other things. Maybe they weren't able to break into my home, but they figured out how to forge the real-estate title to put the property in their name. Maybe they did break into my home, but took a look around and decided to come back when there was something more valuable than a $10,000 prize at stake. The contest proved nothing.

The last possibility is the most interesting, especially in today's security theater.

Re:Cracking Contests Not Useful

[skidv]

Agreed. If I am a black hat (I'm not) and I find a bug in a piece of software that allows my to root thousands of computers on the Internet, I'm not at all motivated by values less than 6 figures.

Virus writers create virii for no compensation at all. I'm not surprised that black hats are motivated by something other than trivial compensation.