Slashdot Mirror
Patch DNS Servers Faster
51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.
It'll either be a setting on your router, or if your directly connected to the modem, you'll need to change it on the network settings on your computer.
You can change this in your DHCP or IP configuration settings on your home router or PC. On my home network, for instance, my DD-WRT router isn't running a DNS server on it, and the DHCP static DNS settings are set for my Server 2008 box and the two OpenDNS resolvers. My Server 2008 box also has its forwarders set to OpenDNS.
That's probably more complicated than it needs to be, but better safe than sorry.
On Windows XP, 2000, and I think Vista, you can tell Windows to ignore the DNS server settings provided by DHCP by going into the IP properties for the connection and hard coding in the IP addresses under Local Area Connection Properties > Internet Protocol Properties > Use the Following DNS Server Addresses.
This can also be done under linux, but I don't know the particular commands for it.
My Sysadmin Blog
Dan Kaminski's website has a DNS checker on it.
My Sysadmin Blog
Click here.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
http://www.doxpara.com/ They have a dns checker on the right hand side. This is linked from the original /. article on this topic.
-dave
http://millionnumbers.com/ - own the number of your dreams
Dan Kaminski's website has a DNS checker on it.
My Sysadmin Blog
http://entropy.dns-oarc.net/test/
There's a couple issues with the one Dan created. First, its slashdotted. Secondly, some ISPs don't allow querying from just anywhere, only from its own customers (IPs). Here's a test you can run from any machine with dig on it:
https://www.dns-oarc.net/oarc/services/porttest
dig +short porttest.dns-oarc.net TXT
New things are always on the horizon
In Ubuntu, the network icon in the upper-right corner of your screen will take you to your network settings. You can change the DNS servers there.
I put OpenDNS right in my router configuration so it applies to my whole house. The other big benefit is that I block doubleclick whose ads always seem to make pages so slow to load. You also get some scam and phishing protection.
Life is short: void the warranty.
It always surprises me how much love there seems to be for OpenDNS on /.
A DNS server returns you a result, or tells you that it can't resolve the domain. Instead of doing the latter, OpenDNS redirects you somewhere you didn't intend to go and attempts to hit you with some advertising. That seems more like typosquatting to me, although admittedly it's with your permission.
I have no idea what netconfig is meant to do, but it doesn't exist on my computer. /etc/resolv.conf is the standard way of doing it.
I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.
They claim they're doing this for your own good, or for the good of Dell users at least, to stop some Google / Dell conspiracy. Details.
You can restrict it to a port range... even giving it access to 2048 ports gives you 2^11 randomness, which is still better than 2^0.
The issue I'm facing, which I find terribly frustrating, is in upgrading older distros. I'm now looking at completely reinstalling a bunch of older BSD servers just to get this idiotic vulnerability resolved, because the maintainers aren't backporting the patch and upgrading BIND itself would be a royal pain. Given how DNS servers tend to run unattended for eons, I suspect this near-sightedness is respnosible to a large degree for the slow patching. It's not that I don't want to patch my servers, it's that I now have to waste a day at the colo doing physical reinstalls. If it weren't for that hitch, I'd be done already!
-Billco, Fnarg.com
It's a perfect time to start using PowerDNS, djbdns or Unbound/NSD as well. :-)
New things are always on the horizon
resolv.conf will be written over by DHCP unless you set PEERDNS=no in the /etc/sysconfig/network-scripts/ifcfg-ethX file.
You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.
Please don't do that.
I don't think OpenDNS is a terribly good idea, and here's why:
They actively screw with the records and return incorrect information. Now you can argue that they do it for "OK" reasons, and indeed, OpenDNS does exactly this in their marketing materials, but the fact remains: they answer some queries with information that is in conflict with the authoritative nameservers.
Personally, I don't trust any DNS provider that does this, and I don't think it's a good idea for anyone to do so.
Use 4.2.2.1 - 4.2.2.6. They're fast, free, don't mess with records (such as altering NXDOMAIN), and are anycast to local servers, so response times are minimal.
The real litigious bastards...
First, it's not a 404. A 404 is a http server response that says I don't have the resource you're requesting.
OpenDNS however, hijacks the DNS protocol when you attempt to lookup the address for a server. And so yes, a dns response that says that no addresses are found is more useful than a fake address that, if you connect using http, will provide an html response with search results on it. Note that this breaks any other use of DNS where you now connect to the server and get garbage rather than simply being told that the server address doesn't map to an IP address. If I wanted to do a search, I would do a search.
That being said, you can turn off all of the "enhancement" options in OpenDNS, and it works great as a DNS server.
"404 error: File not found" is more useful then the OpenDNS search result page?
Yes, yes it is. Because many, many things depend on getting a proper 404 error, like all those http-download automatic updates for example.
Of course, it's not the 404 error that's missing. It's a name resolution failure. This is also very important. You need to know when a domain has gone missing, and it needs to be available in an automated fashion. The proper, per-specification behavior is to return NXDOMAIN when there is no domain found, not to return a bullshit, erroneous result.
This WOULD be LESS offensive if all internet traffic were HTTP, but it is not. If you make a request to a time server and the FQDN doesn't resolve, you're not supposed to get the address to your ISP's webserver instead. So even if they serve a 404 error with their search content which would satisfy web clients, they'd still be hosing every other application on the internet.
So, are you trolling, or just utterly unqualified to have this conversation
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
resolv.conf will be written over by DHCP unless you set PEERDNS=no in the /etc/sysconfig/network-scripts/ifcfg-ethX file.
NB: That file is fore RH/Fedora-based systems only. Other distros do things differently.
I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.
I stopped using them after that discovery.
Your claim that OpenDNS is "monitoring your traffic" is misleading.
If you ping www.google.com it pings google.navigation.opendns.com (208.67.219.231). You still get the standard Google homepage and search results when you go to http://www.google.com/ however. The odd DNS resolution for www.google.com is apparently because some software such as the Google Toolbar bypasses DNS requests, which breaks some of OpenDNS's features. (More on this below.) One apparent advantage of OpenDNS doing this is that it help users avoid Dell affiliate adware so that affected Dell systems will get actual search results instead of a page full of Dell's affiliate ads.
But guess what? It's trivial to turn this feature off if you don't like it. Just go to https://www.opendns.com/dashboard/settings/ and sign in if necessary. Click on Advanced Settings. Scroll down and uncheck Enable OpenDNS proxy, then click Apply. Wait a few minutes, or try running "ipconfig /flushdns" from the command line if you're using Windows, or restart your computer, and then your settings should take effect. The downside to disabling the proxy is that it will break some of OpenDNS's features.
From an OpenDNS support article:
Also, from the OpenDNS FAQ regarding the workaround for Dell adware:
the JoshMeister on Security