Please explain how you managed to fingerprint DNS servers. I don't think many DNS servers have version identification fetures. BIND does but it's not exactly a standard....or maybe even a good idea.
This surey ranks up there with "Most dentists recommend brand X" marketing for me. The accuracy of the sample set is extremely questionable.
The key is that I use tcpclient from DJBs ucspi-tcp package:
http://cr.yp.to/ucspi-tcp.html
Don't hurt yourself with BIND, either. Parsing that file is going to hurt your brain. I use grep -v to manage my data file for tinydns:
http://cr.yp.to/djbdns.html
Maybe I'll get around to publishing my work. A brief synopsis:
I do a tcp connection to port 80 on my webservers with a 5 second timout. If the connection fails it pulls all IPs assoicated with that server out of my DNS. Not only does this determine if the server is up but it also determines if the server needs less load because it can't get to my request in time.
There's a state file for each webserver, ie webserver.up or webserver.down. That's easy to look for later to determine if I need to change the DNS tables.
I run the check every 60 seconds. I only have two servers so it's not too tough.
I also check www.yahoo.com and www.google.com availability over each ISP to determine if an ISP is available. I update DNS based on the ISP conditions as well.
I say again, try to avoid BIND if you can, I can't think of a sane way to process your zone files with shell scripting.
One problem I have run in to with the "DNS way" is that if a home user opens their browser and resolves the name to an IP address it tends to cache that until you close your browser, whatever the TTL.
At the time I only tested with IE but Mozilla may do the same thing. I don't know.
I have two ISP connections- both look like ethernet to me. One happens to be wireless and the other comes in over a telco circuit, but the handoff is ethernet.
After much searching and testing I built my router using FreeBSD and IPFW. More on that further down.
Each ISP has given me a block of addresses from their CIDR block. I multihome proxy servers and email servers for inbound and outbound connections. They have one interface with multiple IPs bound. Nothing special there. Their default route is my FreeBSD router.
The freebsd router has mulitple ethernet interfaces. One per ISP and one for my servers. The ISP-facing interfaces have/30 addresses for routing purposes and "my" side has the/25 and/27 blocks they assigned me from their pool.
The default route on the freebsd box is one of the providers.
I use IPFW for egress routing. Packets on the OUT side of the interfaces facing the ISPs are checked for source addressing and either allowed through or pushed over to the proper interface. Works like a charm.
interfaces:
em0 aa.bb.dd.128/25 (my side) em0 xx.yy.zz.192/27 (also my side) em1 aa.bb.cc.220/30 ISP A em2 xx.yy.zz.188/30 ISP B
the rules I use:
ipfw -q add 100 fwd xx.yy.zz.189 ip from xx.yy.zz.192/27 to any out xmit em1
ipfw -q add 201 fwd aa.bb.cc.221 ip from aa.bb.dd.128/25 to any out xmit em2
There's also ipfilter in there handling filtering. IPFW only handles the egress routing.
DNS fills the gaps. I return at least two A records for the hosts I publish.
I used Linux for a short time in this router function but got bored with problematic network drivers.
That Radware device and the one by F5 are doing the same thing, but for at least 5 figures. I looked at them and then opted for this cheaper solution. I just bought duplicate router hardware and just keep a cold spare.
On the hand since many SMTP senders seem to ignore MX priority I'd have to say a similar mechanism for A records would be worthless.
If you have a lower priority MX box our there compare your logs with the higer priority one and look for machines that actually tried the higher priority one. It's usually kind of funny. I suppose there's a way to fingerprint servers from this behavior.
It's a great system with tons of expansion. Ours is the older DSP model which tends to resemble a CO switch. We can provide just about the same services to our company as a smaller CO. It has two celeron (I think 366's) in a hot failover configuration. Our Windows based CRM app uses a CTI connection for autodialing. Pretty basic stuff.
Intel & Sun = Good Lovin?
on
Linuxworld Fun
·
· Score: 1
Here's the announcement:
http://www.sun.com/2002-0812/feature/
Their flash based interactive thingy
http://www.sun.com/servers/entry/lx50/lx50_demo.ht ml
I do lots of long distance driving and with 40 gigs of music/audio books you can't beat it. I use Rsync to sync to my master MP3 collection, whicih keeps me from having to manage it too much.
Sure the menu is a litle weird, but why would you want to navigate a menu system while driving?! Build a few playlists on your PC first if you really have something in mind.
The latest firmware isn't buggy at all, it's an easy download from http://www.ssiamerica.com.
As far as indexing the tracks, I have roughly 7800 mp3s and it takes about five minutes....only when I change the filesystem though. Five minutes out of my multi-hour trip won't break my heart.
2) HD is far preferred. Do you want a limited and/or network dependant box, or do you want a standalone unit? The Disk on Chip is very limiting. Neat idea though.
3) The power consumption and noise issues alone make this a very handy unit. Make sure you get the one with intel networking though. The alternative is the realtek 8139C chipset that sucks pretty badly.
It's not a bad box, it's also not a athlong-based gaming platform. If it fits your needs it's great.
I may as well add my name to the list... I'm an MCNE and MCSE who runs a network of roughly 50 servers supporting 400 users internationally. I did the math recently and found 25 or so NT servers, 15 or so Linux boxes and 8 NetWare Boxes. The only servers that everyone in the company connects to are the netware boxes with hundreds of days of uptime. The NT boxes serve special services (anybody else think it's good to need an Exchange server farm to get email?) and usually require twice the resources (hardware and man hours) to keep running....and you're right, the new Zenworks is fantastic, as are BorderManager and ICS.
I don't mind working with NT, enjoy the simplicity or Linux and absolutely dig the design, managment and reliability of NDS and NetWare. I've been working with NetWare since 2.15c, Linux since 386s were hot stuff and NT since we could afford the hardware to make it run.
Remind me again why it's innovative to require third party apps to undelete files?
Step 1: Relase new code with annoying email brodcasting.
Step 2: Wait for public outrage to reach the right level, search the news sites to make sure it's listed on all of them.
Step 3: Tell the American Consumer (TM) how nice we are and that we care about them so much that we'll fix the problem.
Step 4: Place bigger ads for "new MSN" on primetime TV (while you're in the limelight).
Give me a break! Why does the media continue to fall for this? The companies that provide good services don't get the same airtime because the are careful to not piss of the American Consumer (TM).
In this case it's a double-edged sword, if people hadn't complained we'd get to read about it in our email every time Granny switched services.
Every single file does not have an associated NDS opject. File level security is seperate from NDS level.
No biggie, your point is still valid. When you can store every single printer, workstation, user, server, application, etc. configuration for a global 50,000 employee company in one place, that's pretty cool.
If you're looking for a simpler migration to a mail server that doesn't need four processors, check out Interchange from Infinite. It will even connect to Exchange for you while your users get used to their new interface. They have a free 30-day trial. I hate preching, but this package is cool, and will run 500+ users smoothly on your hardware. I'd double the RAM for 1000 users.
Slashdot Mirror
No. fpdns is guessing.
Determining what product is used when the product does not identify iteslf does not lead to accuracy.
"That pile of rocks must be coal because they look black."
Far from definitive.
Please explain how you managed to fingerprint DNS servers. I don't think many DNS servers have version identification fetures. BIND does but it's not exactly a standard. ...or maybe even a good idea.
This surey ranks up there with "Most dentists recommend brand X" marketing for me. The accuracy of the sample set is extremely questionable.
I do it now with two shell scripts.
The key is that I use tcpclient from DJBs ucspi-tcp package:
http://cr.yp.to/ucspi-tcp.html
Don't hurt yourself with BIND, either. Parsing that file is going to hurt your brain. I use grep -v to manage my data file for tinydns:
http://cr.yp.to/djbdns.html
Maybe I'll get around to publishing my work. A brief synopsis:
I do a tcp connection to port 80 on my webservers with a 5 second timout. If the connection fails it pulls all IPs assoicated with that server out of my DNS. Not only does this determine if the server is up but it also determines if the server needs less load because it can't get to my request
in time.
There's a state file for each webserver, ie webserver.up or webserver.down. That's easy to look for later to determine if I need to change the DNS tables.
I run the check every 60 seconds. I only have two servers so it's not too tough.
I also check www.yahoo.com and www.google.com availability over each ISP to determine if an ISP is available. I update DNS based on the ISP conditions as well.
I say again, try to avoid BIND if you can, I can't think of a sane way to process your zone files with shell scripting.
Check out iChain from Novell, it's relatively cheap and very fast. It's a reverse proxy appliance.
It does much more that what you're looking for, but some of the multihoming functionality is incredibly handy.
The per user licensing only matters if you use it to authenticate users.
One problem I have run in to with the "DNS way" is that if a home user opens their browser and resolves the name to an IP address it tends to cache that until you close your browser, whatever the TTL.
At the time I only tested with IE but Mozilla may do the same thing. I don't know.
Keep an eye on these: 2002_7 and 2002_3
I have two ISP connections- both look like ethernet to me. One happens to be wireless and the other comes in over a telco circuit, but the handoff is ethernet.
/30 addresses for routing purposes and "my" side has the /25 and /27 blocks they assigned me from their pool.
After much searching and testing I built my router using FreeBSD and IPFW. More on that further down.
Each ISP has given me a block of addresses from their CIDR block. I multihome proxy servers and email servers for inbound and outbound connections. They have one interface with multiple IPs bound. Nothing special there. Their default route is my FreeBSD router.
The freebsd router has mulitple ethernet interfaces. One per ISP and one for my servers. The ISP-facing interfaces have
The default route on the freebsd box is one of the providers.
I use IPFW for egress routing. Packets on the OUT side of the interfaces facing the ISPs are checked for source addressing and either allowed through or pushed over to the proper interface. Works like a charm.
interfaces:
em0 aa.bb.dd.128/25 (my side)
em0 xx.yy.zz.192/27 (also my side)
em1 aa.bb.cc.220/30 ISP A
em2 xx.yy.zz.188/30 ISP B
the rules I use:
ipfw -q add 100 fwd xx.yy.zz.189 ip from xx.yy.zz.192/27 to any out xmit em1
ipfw -q add 201 fwd aa.bb.cc.221 ip from aa.bb.dd.128/25 to any out xmit em2
There's also ipfilter in there handling filtering. IPFW only handles the egress routing.
DNS fills the gaps. I return at least two A records for the hosts I publish.
I used Linux for a short time in this router function but got bored with problematic network drivers.
That Radware device and the one by F5 are doing the same thing, but for at least 5 figures. I looked at them and then opted for this cheaper solution. I just bought duplicate router hardware and just keep a cold spare.
...must....submit...plug...
Or rather, how an openbsd stateful bridging firewall effects the IE/IIS performance when it's between them.
On the hand since many SMTP senders seem to ignore MX priority I'd have to say a similar mechanism for A records would be worthless.
If you have a lower priority MX box our there compare your logs with the higer priority one and look for machines that actually tried the higher priority one. It's usually kind of funny. I suppose there's a way to fingerprint servers from this behavior.
We're running a system here based on a redhat 6.x distro.
eOn
It's a great system with tons of expansion. Ours is the older DSP model which tends to resemble a CO switch. We can provide just about the same services to our company as a smaller CO. It has two celeron (I think 366's) in a hot failover configuration. Our Windows based CRM app uses a CTI connection for autodialing. Pretty basic stuff.
Here's the announcement:
t ml
r 1200/SR1200ProdBrief.pdf
http://www.sun.com/2002-0812/feature/
Their flash based interactive thingy
http://www.sun.com/servers/entry/lx50/lx50_demo.h
Looks remarkably like:
http://www.intel.com/design/servers/accessories/s
I dig my Neo.
...only when I change the filesystem though. Five minutes out of my multi-hour trip won't break my heart.
I do lots of long distance driving and with 40 gigs of music/audio books you can't beat it. I use Rsync to sync to my master MP3 collection, whicih keeps me from having to manage it too much.
Sure the menu is a litle weird, but why would you want to navigate a menu system while driving?! Build a few playlists on your PC first if you really have something in mind.
The latest firmware isn't buggy at all, it's an easy download from http://www.ssiamerica.com.
As far as indexing the tracks, I have roughly 7800 mp3s and it takes about five minutes.
Oh give me a break. I have one of these things.
1) The unit COMES with the required cable.
2) HD is far preferred. Do you want a limited and/or network dependant box, or do you want a standalone unit? The Disk on Chip is very limiting. Neat idea though.
3) The power consumption and noise issues alone make this a very handy unit. Make sure you get the one with intel networking though. The alternative is the realtek 8139C chipset that sucks pretty badly.
It's not a bad box, it's also not a athlong-based gaming platform. If it fits your needs it's great.
Nope, I tried that. It didn't like talking to the ethernet ports.
It would have been great if it had worked...
I may as well add my name to the list... I'm an MCNE and MCSE who runs a network of roughly 50 servers supporting 400 users internationally. I did the math recently and found 25 or so NT servers, 15 or so Linux boxes and 8 NetWare Boxes. The only servers that everyone in the company connects to are the netware boxes with hundreds of days of uptime. The NT boxes serve special services (anybody else think it's good to need an Exchange server farm to get email?) and usually require twice the resources (hardware and man hours) to keep running. ...and you're right, the new Zenworks is fantastic, as are BorderManager and ICS.
I don't mind working with NT, enjoy the simplicity or Linux and absolutely dig the design, managment and reliability of NDS and NetWare. I've been working with NetWare since 2.15c, Linux since 386s were hot stuff and NT since we could afford the hardware to make it run.
Remind me again why it's innovative to require third party apps to undelete files?
Doesn't anyone else think this was planned?
I think it looked like this:
Step 1: Relase new code with annoying email brodcasting.
Step 2: Wait for public outrage to reach the right level, search the news sites to make sure it's listed on all of them.
Step 3: Tell the American Consumer (TM) how nice we are and that we care about them so much that we'll fix the problem.
Step 4: Place bigger ads for "new MSN" on primetime TV (while you're in the limelight).
Give me a break! Why does the media continue to fall for this? The companies that provide good services don't get the same airtime because the are careful to not piss of the American Consumer (TM).
In this case it's a double-edged sword, if people hadn't complained we'd get to read about it in our email every time Granny switched services.
Uhm, close.
Every single file does not have an associated NDS opject. File level security is seperate from NDS level.
No biggie, your point is still valid. When you can store every single printer, workstation, user, server, application, etc. configuration for a global 50,000 employee company in one place, that's pretty cool.
...and you're describing the days before Linux and Windows 95.
Technology has advanced a little since then, and NetWare has too.
I still want to know why Undelete on an NT File server requires third party software.
If you're looking for a simpler migration to a mail server that doesn't need four processors, check out Interchange from Infinite. It will even connect to Exchange for you while your users get used to their new interface. They have a free 30-day trial. I hate preching, but this package is cool, and will run 500+ users smoothly on your hardware. I'd double the RAM for 1000 users.