A NAT box is two things: an address translation system, and a/router/.
well, I guess it could be, depending on what the hell "himi (29186)" means by "NAT box," a term he seems to have made up on-the-fly. in reality, NAT itself has absolutely nothing to do with routing, and is usually routing's antipode. I also don't think you understand regular expressions (or at least their utility).
If you send it a packet addressed to 192.168.1.23 from the public side, and that address is routable as far as the NAT box is concerned,/it will forward it on/. I could sit on the public side of that NAT box and spam it with connection requests on common ports (443? 22? 13[789]?) - ~65000 packets could map out the contents of the NATed network without ever hitting the NAT rules. NAT would have supplied/zero/ security, even through obscurity.
which is why 99% of routers do bogon filtering at least on rfc 1918 addresses. it is entirely possible for such a thing to happen, but you'd first have to get it through the intermediary routers as well, and then have a "NAT box" which was completely and utterly retarded and disregarded network segmentation. in various scenarios, this would be completely impossible, on the other hand. I've no idea what "13[789]" is supposed to mean; there is the daytime port at 13/tcp, but I don't know what services run on 789/tcp or 13789/tcp. approximately 65536 ports could map out the "contents" of each individual host you're allowed to access in this manner, given a few conditions, and it would only map out the ports for one particular protocol (TCP, in this case). those conditions might be various firewall and routing rules affecting the reverse path. in fact, the nature of such a "NAT box" is usually to translate (as the name suggests) IP address combinations back and forth, which necessitates the "box" itself handling connections. in any normal system, then, requests sent to private IP addresses wouldn't be accepted on the external interface, and in many cases the local network may even be isolated on a different subnet. I don't think you will find any such system that will meet all of the above conditions, let alone the multitude of others I've failed to mention so far. that in itself does not mean that NAT is intended as some sort of security method, because it isn't. however, it does function that way in practice, to a degree. it is not security through obscurity. it is security through expectation, and normally completely founded expectation. as far as NAT traversal goes, there are far more, easier methods for detecting such machines that don't rely on a disparate set of remotely plausible conditions to be present.
In order to provide security the NAT box has to refuse to forward those packets, unless they meet one of the NAT rules. Oh, look - it's suddenly become a/firewall/.
not rely. in order to provide such security, it would need to ACCEPT forwarding those packets, which is a subset of forwarding anything in the first place, which is something most NAT devices don't actually do. see above where I informed you that NAT is not routing. why the fuck would a "NAT box" forward packets from an external interface (it might be hard for you to understand that mangling the packet's destination when properly addressed to the external interface and the subsequent forwarding done is different from this, but it is)?
it's not a router, which means it cares what the destination IP is. it owns your external IP. it is listening on it. it doesn't advertise routes. any packet destined toward a private IP address is discarded, because that IP address is not bound to that interface. it's quite simple, really.
I didn't read the rest of your post, and I still don't think you understand regular expressions.
I don't think you got the point at all. I really doubt he meant to set up your own authoritative server, but rather just to implement a limbo master and transfer the zones to someone managing a professional DNS service, affording you control, and not the pesky timeouts that would come with having your unreliable master as the primary authoritative.
Domain ID:D1644006-LROR Domain Name:KY.ORG Created On:23-Jul-1998 04:00:00 UTC Last Updated On:20-Aug-2008 11:13:05 UTC Expiration Date:22-Jul-2011 04:00:00 UTC Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR) Status:CLIENT DELETE PROHIBITED Status:CLIENT TRANSFER PROHIBITED Status:CLIENT UPDATE PROHIBITED Registrant ID:MONIKER1293403 Registrant Name:Moniker Privacy Services Registrant Organization:Moniker Privacy Services Registrant Street1:20 SW 27th Ave. Registrant Street2:Suite 201 Registrant Street3: Registrant City:Pompano Beach Registrant State/Province:FL Registrant Postal Code:33069 Registrant Country:US Registrant Phone:+1.9549848445
ky.gov, on the other hand...
1. ok, well, technically, you try to social engineer his private registration service into giving out his real information. he may not live in pompano after all!!
I didn't read the article; I barely read the summary, then skimmed the comments. Normally, I wouldn't comment on a post like this. But something caught my eye: isn't WildTangent the notorious malware company? Wikipedia seems to agree with me. I remember when I still used the official AOL AIM client 5+ years ago and they started bundling WildTangent spyware. I won't forget that name, and I won't ever use an AOL product again (not that I really intended to).
I also forgot to mention that a lot of people seem to interpret the pull system as a POP-level thing. In that case, this wouldn't work at all without additional headers and MUA software.
That doesn't necessarily work if you rely on a cookie inserted by the sender, unless SMTP is changed. I assume that would go in the DATA section under such a system. But the envelope exchange happens before that. The envelope originating address would have to be saved and sent to a checking function after parsing the message, which would be tedious and limiting for infrastractural purposes. You can't reject the notification outright, but you might be able to prevent pulling the real message, though that would inhibit your ability to do processing or forwarding to other processes.
Another hard sell on the pullp method, though I think it mostly makes sense myself, is that it would be quite difficult to implement restrictions on message size and all sorts of other things when you don't control the session. So, yet again, SMTP would have to be wildly extended for that purpose, and that's something that obviously isn't going to happen. Of course, the whole pull system in general is a new idea which would require an unprecedented amount of cooperation to come into existence.
I always operate off of the rule that my mail servers will comply with the RFC requirements to the letter while sending messages. While accepting messages I have to be a bit more lenient though because the other administrators on the net aren't quite as attentive (or even competent)...
It's quite true what you say. RFCs weren't meant as law books, because the internet isn't a closed system. Strict regulations on MTA behavior and DNS configuration are completely unenforceable, but if many people can standardize on one particular protocol and follow it to its letter, then that's about one of the only ways things can work. False positives are simply a consequence that some are willing to take; that's a philosophical standpoint, and it's more one that affects them than you, unless you work for a company which relies heavily upon sending e-mail. I don't, and I don't rely heavily on receiving it either, so I check HELO, FQDN, reverse records, et al here at home, but I don't think I'd do that if I were running a critical mail system.
The summary is terrible. It doesn't provide any information whatsoever, and makes a lot of claims that I'm apparently to take at face value. There's not even an article. Okay, that's not exactly new for Slashdot posts. Whatever. It took me several re-reads to figure out what the hell they were even talking about -- what the fuck does Slashdot have to do with Google? After sifting through the comments, I'm _guessing_ it has something to do with the new anti-phishing protections in Firefox 3 (and maybe they exist in Firefox 2 as well; I can't be bothered to check). But where the fuck does Google come in? No one even bothers to tell you, and apparently it's expected to be common knowledge (no one else has even asked).
I have seen those stupid Google warning pages that I get when I try to visit a page it has "blocked" for "my safety," which is completely and utterly fucking ridiculous. If I didn't want to click on a god damn motherfucking page, I wouldn't click on it. That's one of the reasons I'm about to stop using Google. I don't need a fucking search engine to hold my hand. That's also the reason I've turned off anti-phishing in Firefox whenever I've seen the option, because I'm not a complete fucking idiot. So I'm going to make a WILD conclusion that Google is sharing this list with Firefox. One post suggested that a hash of an IP address and/or hostname was sent to Google to check against their list. If that's the case, then that's even more ridiculous than I had ever suspected.
Both Firefox and Google can fuck off. They're both shit by now anyway.
That's the issue, though. On the one hand, you have a direct democracy, and, on the other, you have some arbitrary line that some random person decides to draw when making decisions which affect us all. Is 0.01%, 0.1%, 1%, or 10% of the population required to use marijuana before it's realized that perhaps this substance shouldn't be illegal? Does 5%, 10%, 20%, 30%, or 40% of the population have to regularly break "speed limits" before it's realized that perhaps these laws should be changed or expunged? Is it 11, 13, 14, 17 years of age before a person should be able to make a decision to engage themselves in uh.. carnal acts?
The thing about that is: it doesn't make sense. We've elected representatives to make decisions which affect us. These decisions are tempered by the decisions of other such people, and some whom were not necessarily elected by us (appointees?). The answer should be obvious: start fresh -- stop making laws and allow a system to thrive in which ALL people are free to exist under conditions unrepressive to them and in which they are able to express themselves. That is the only way to encompass the views of the various people, and to ensure that one group's ideas of how people should exist don't dictate how everyone has to exist. This kind of society would probably be categorized, contemporarily, as libertarian. There don't seem to exist many such systems today. The one in which we live (in the United States) is a lot more socialistic, fascistic. Not only is that the failing of the representatives, but it is largely the failing of the people. Many or most of our populace is seduced by the idea of having others conform, even if it doesn't immediately seem that way to them. "I think it is a good idea that everyone should believe in god" is supposed to be somehow different from the so-called "liberal" viewpoint of "I think it is a good idea that everyone should take care of everyone else and everyone should be equal."
Either one of those may or may not be a good sentiment, but their premises are not accepted by all. It just happens that a lot of people think these things (and, coincidentally, the two don't seem to overlap that frequently). For that very reason, people tolerate fascism, although the so-called "conservatives" might prefer a more authoritarian brand. If I have these ideas about people and they restrict the freedoms of that small minority of people who do things differently than I, then why the hell would I care? So far as I can discern, _I_ am free. Thus it may boil down to an educational problem. I don't mean that any public school should indoctrinate anyone. I don't even know if public schools should exist. But it's quite evident that the average person has some pretty fucked up ideas about the world, and I have no idea what the solution to that is, if there is one.
The ONLY way to have a fair system is to allow for all sorts of ideas to thrive freely. And the religious might be happy that Bush, McCain, or Obama are the people making decisions for them (okay, technically, the president does very little in the way of legislation, but they're uh symbols for the state of our political understanding and human condition [and another thing I might note is that it's striking how few people actually really do understand the insignifiance of the presidential position {which results in a lot of ridiculous dogma/and perhaps the very expectation that the system should take care of us, since these people aren't even supposed to be making half of the decisions we want them to @and I've never had to go this deep parenthetically before@/}]). But, of course, it is possible that one day they will be quite uncontent with the decision they have made (more passively accepted than made, perhaps). One day soon we might elect some crazy leftist worse than Obama--perhaps as an atheist!! Imagine how the religious right are going to feel then. Before they didn't give a shit, because it didn't matter. It is entirely possible to make them realize the err of their ways.
In Firefox, the DNS look-up status notice is called "Looking up...". The thing immediately preceding "Waiting for" is not that, but it is "Connecting to..." which is an attempt to establish a TCP connection. Thus your problem may lie there moreso than in DNS. At any rate, DNS is a fundamentally slow protocol, but it should not be that slow. The fact that you are in Germany may mean that you are likely to load a wide array of sites under different ccTLDs. There have been study to show that some ccTLDs are really bad offenders at DNS organization; that is: some ccTLD authorities may refer you back and forth to various other nameservers. In one case, if I recall correctly, there was some Japanese domain name for which it took some four hundred queries to resolve. That may or may not be the case with you. Most likely it is not. What is probably happening here is that your local DNS settings, and any forwarders for which the nameservers you're using refer to, may be experiencing a permanent of temporary downtime. It isn't uncommon in the DNS for one server to go down and for people to scarcely notice since the back-ups kick in and things start working immediately, albeit slowly (might it be nice if there were some sort of metric system for DNS? though I would prefer for the security issues to be "resolved" [ahahah] first).
The other more likely thing is that you're experiencing just a general connectivity problem. If you are connected through some sort of wireless service, this is quite common. But you may be experiencing packet loss for a multitude of reasons; it is hard to say. The fact that you seem to have trouble merely connecting to hosts once they're resolved (as much as I can deduce from your post, at least) would indicate this, and it is quite common for such things to happen. DNS becomes monstrously slow in such instances, because it largely relies upon the connection-less UDP. Perhaps you should look into that side of things more closely.
Since he runs his own mail-server, he can actually USE another IP address to send mail to his MX, but it is not possible to "forge an IP address" over TCP, or, at least, it is very statistically impossible.
What a stupid summary. There's absolutely nothing wrong with password resetting. The problem is password security questions or password "hints" or whatever they're called. Whenever I encounter those, I pound on my keyboard until the text field's maximum length is reached, hoping that's sufficiently random and long enough to thwart any brute force or crib-based attacks. It's so bad sometimes that not only do sites require you enter this information, but they also have ridiculously asinine limits on maximum password length and question/answer length. It doesn't matter whether you choose a strong password, if that can be broken by something as insanely weak as an honest answer to one of the 'security questions' that you're provided with on most sites (though some sites let you specify a custom question). Whoever thought up that one was not the brightest crayon in the box, and has no business doing anything with security applications. They may have had the best of intentions, but took a lot of the ideas they've heard from the security field and applied them poorly, which is why you only let EXPERTS design security applications. This is a lot of theater and nothing more, and poor implementation is the classic amateur mistake.
These are the same people who put plain-text passwords in a database or text file and let you "retrieve" your password which they've conveniently stored, unaltered. Sometimes, if they want to feel really clever about themselves, they might upgrade to un-salted MD5. Yay. There needs to be an industry standard system for web applications, or whatever else, designed by someone who knows what they're doing. Don't roll your own security suite. You're most likely not smart enough, even if you think you are. I use Solar Designer's phpass for cryptographic hashing in my web applications, and he has several other good pieces of software that are relevant to the topic.
The process I use for password resets goes like this (starting from the very beginning):
1. user goes to the registration page for my website 2. the user is given guidelines on password strength, but these aren't enforced, because it's their own ass if their account gets compromised (though, if there were any risk to said compromisation, then I would impose strengthening measures) 3. the user provides an e-mail address which must be legitimate (I'm not too keen on this myself, since it's none of my business what anyone's e-mail is, and sites requiring e-mail for registration are annoying, but, if you want any semblance of security, this is probably the way to go) 4. in the back end, the user's plain-text password is converted to salted MD5 or bcrypt (bcrypt for Linux; bcrypt is native to OpenBSD and Openwall Linux) through UNIX crypt() 5. the account is not activated until the user visits a link sent to their inbox, based on a cryptographically secure random confirmation ID (20 bits SHA1) 6. the user forgets his password 7. the user visits the password reset page on my website, inputs their e-mail, and clicks reset 8. a confirmation e-mail is sent to the address on file, complete with a link to a web page on my site with a secure cryptographically generated IP as a GET variable (20 bits SHA1); no password is generated until the link is clicked (or typed in, which I would prefer to clicking, and I don't render e-mail in HTML anyway) 9. once the link is visited, an alternate password is creating using a secure, properly designed and developed cryptographically strong password generation library 10. upon logging in with the new, cryptographically strong password, the old password is deactivated and can no longer be used for logging in
That system is not infallible, but it doesn't require weakening the concept of a password-based system (when such a system is already, inherently, an absurdly flawed and very primitive idea).
Slashdot Mirror
well, I guess it could be, depending on what the hell "himi (29186)" means by "NAT box," a term he seems to have made up on-the-fly. in reality, NAT itself has absolutely nothing to do with routing, and is usually routing's antipode. I also don't think you understand regular expressions (or at least their utility).
which is why 99% of routers do bogon filtering at least on rfc 1918 addresses. it is entirely possible for such a thing to happen, but you'd first have to get it through the intermediary routers as well, and then have a "NAT box" which was completely and utterly retarded and disregarded network segmentation. in various scenarios, this would be completely impossible, on the other hand. I've no idea what "13[789]" is supposed to mean; there is the daytime port at 13/tcp, but I don't know what services run on 789/tcp or 13789/tcp. approximately 65536 ports could map out the "contents" of each individual host you're allowed to access in this manner, given a few conditions, and it would only map out the ports for one particular protocol (TCP, in this case). those conditions might be various firewall and routing rules affecting the reverse path. in fact, the nature of such a "NAT box" is usually to translate (as the name suggests) IP address combinations back and forth, which necessitates the "box" itself handling connections. in any normal system, then, requests sent to private IP addresses wouldn't be accepted on the external interface, and in many cases the local network may even be isolated on a different subnet. I don't think you will find any such system that will meet all of the above conditions, let alone the multitude of others I've failed to mention so far. that in itself does not mean that NAT is intended as some sort of security method, because it isn't. however, it does function that way in practice, to a degree. it is not security through obscurity. it is security through expectation, and normally completely founded expectation. as far as NAT traversal goes, there are far more, easier methods for detecting such machines that don't rely on a disparate set of remotely plausible conditions to be present.
not rely. in order to provide such security, it would need to ACCEPT forwarding those packets, which is a subset of forwarding anything in the first place, which is something most NAT devices don't actually do. see above where I informed you that NAT is not routing. why the fuck would a "NAT box" forward packets from an external interface (it might be hard for you to understand that mangling the packet's destination when properly addressed to the external interface and the subsequent forwarding done is different from this, but it is)?
it's not a router, which means it cares what the destination IP is. it owns your external IP. it is listening on it. it doesn't advertise routes. any packet destined toward a private IP address is discarded, because that IP address is not bound to that interface. it's quite simple, really.
I didn't read the rest of your post, and I still don't think you understand regular expressions.
that ratelimiting must not be working very well.
I don't think you got the point at all. I really doubt he meant to set up your own authoritative server, but rather just to implement a limbo master and transfer the zones to someone managing a professional DNS service, affording you control, and not the pesky timeouts that would come with having your unreliable master as the primary authoritative.
and you quite clearly don't understand them.
spelling errors slow me down even more.
you probably call some guy in pompano beach[1]:
Domain ID:D1644006-LROR
Domain Name:KY.ORG
Created On:23-Jul-1998 04:00:00 UTC
Last Updated On:20-Aug-2008 11:13:05 UTC
Expiration Date:22-Jul-2011 04:00:00 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:MONIKER1293403
Registrant Name:Moniker Privacy Services
Registrant Organization:Moniker Privacy Services
Registrant Street1:20 SW 27th Ave.
Registrant Street2:Suite 201
Registrant Street3:
Registrant City:Pompano Beach
Registrant State/Province:FL
Registrant Postal Code:33069
Registrant Country:US
Registrant Phone:+1.9549848445
ky.gov, on the other hand...
1. ok, well, technically, you try to social engineer his private registration service into giving out his real information. he may not live in pompano after all!!
I didn't read the article; I barely read the summary, then skimmed the comments. Normally, I wouldn't comment on a post like this. But something caught my eye: isn't WildTangent the notorious malware company? Wikipedia seems to agree with me. I remember when I still used the official AOL AIM client 5+ years ago and they started bundling WildTangent spyware. I won't forget that name, and I won't ever use an AOL product again (not that I really intended to).
I also forgot to mention that a lot of people seem to interpret the pull system as a POP-level thing. In that case, this wouldn't work at all without additional headers and MUA software.
Uh, if you use a 4xx reject code, you aren't bouncing anything.
That doesn't necessarily work if you rely on a cookie inserted by the sender, unless SMTP is changed. I assume that would go in the DATA section under such a system. But the envelope exchange happens before that. The envelope originating address would have to be saved and sent to a checking function after parsing the message, which would be tedious and limiting for infrastractural purposes. You can't reject the notification outright, but you might be able to prevent pulling the real message, though that would inhibit your ability to do processing or forwarding to other processes.
Another hard sell on the pullp method, though I think it mostly makes sense myself, is that it would be quite difficult to implement restrictions on message size and all sorts of other things when you don't control the session. So, yet again, SMTP would have to be wildly extended for that purpose, and that's something that obviously isn't going to happen. Of course, the whole pull system in general is a new idea which would require an unprecedented amount of cooperation to come into existence.
Be liberal in what you accept, and conservative in what you send.
It's quite true what you say. RFCs weren't meant as law books, because the internet isn't a closed system. Strict regulations on MTA behavior and DNS configuration are completely unenforceable, but if many people can standardize on one particular protocol and follow it to its letter, then that's about one of the only ways things can work. False positives are simply a consequence that some are willing to take; that's a philosophical standpoint, and it's more one that affects them than you, unless you work for a company which relies heavily upon sending e-mail. I don't, and I don't rely heavily on receiving it either, so I check HELO, FQDN, reverse records, et al here at home, but I don't think I'd do that if I were running a critical mail system.
Why would it have to be an idiot?
The summary is terrible. It doesn't provide any information whatsoever, and makes a lot of claims that I'm apparently to take at face value. There's not even an article. Okay, that's not exactly new for Slashdot posts. Whatever. It took me several re-reads to figure out what the hell they were even talking about -- what the fuck does Slashdot have to do with Google? After sifting through the comments, I'm _guessing_ it has something to do with the new anti-phishing protections in Firefox 3 (and maybe they exist in Firefox 2 as well; I can't be bothered to check). But where the fuck does Google come in? No one even bothers to tell you, and apparently it's expected to be common knowledge (no one else has even asked).
I have seen those stupid Google warning pages that I get when I try to visit a page it has "blocked" for "my safety," which is completely and utterly fucking ridiculous. If I didn't want to click on a god damn motherfucking page, I wouldn't click on it. That's one of the reasons I'm about to stop using Google. I don't need a fucking search engine to hold my hand. That's also the reason I've turned off anti-phishing in Firefox whenever I've seen the option, because I'm not a complete fucking idiot. So I'm going to make a WILD conclusion that Google is sharing this list with Firefox. One post suggested that a hash of an IP address and/or hostname was sent to Google to check against their list. If that's the case, then that's even more ridiculous than I had ever suspected.
Both Firefox and Google can fuck off. They're both shit by now anyway.
what they need? isn't that what they already have?
what do farmers have to do with bit torrent?
That's the issue, though. On the one hand, you have a direct democracy, and, on the other, you have some arbitrary line that some random person decides to draw when making decisions which affect us all. Is 0.01%, 0.1%, 1%, or 10% of the population required to use marijuana before it's realized that perhaps this substance shouldn't be illegal? Does 5%, 10%, 20%, 30%, or 40% of the population have to regularly break "speed limits" before it's realized that perhaps these laws should be changed or expunged?
Is it 11, 13, 14, 17 years of age before a person should be able to make a decision to engage themselves in uh.. carnal acts?
The thing about that is: it doesn't make sense. We've elected representatives to make decisions which affect us. These decisions are tempered by the decisions of other such people, and some whom were not necessarily elected by us (appointees?). The answer should be obvious: start fresh -- stop making laws and allow a system to thrive in which ALL people are free to exist under conditions unrepressive to them and in which they are able to express themselves. That is the only way to encompass the views of the various people, and to ensure that one group's ideas of how people should exist don't dictate how everyone has to exist. This kind of society would probably be categorized, contemporarily, as libertarian. There don't seem to exist many such systems today. The one in which we live (in the United States) is a lot more socialistic, fascistic. Not only is that the failing of the representatives, but it is largely the failing of the people. Many or most of our populace is seduced by the idea of having others conform, even if it doesn't immediately seem that way to them. "I think it is a good idea that everyone should believe in god" is supposed to be somehow different from the so-called "liberal" viewpoint of "I think it is a good idea that everyone should take care of everyone else and everyone should be equal."
Either one of those may or may not be a good sentiment, but their premises are not accepted by all. It just happens that a lot of people think these things (and, coincidentally, the two don't seem to overlap that frequently). For that very reason, people tolerate fascism, although the so-called "conservatives" might prefer a more authoritarian brand. If I have these ideas about people and they restrict the freedoms of that small minority of people who do things differently than I, then why the hell would I care? So far as I can discern, _I_ am free. Thus it may boil down to an educational problem. I don't mean that any public school should indoctrinate anyone. I don't even know if public schools should exist. But it's quite evident that the average person has some pretty fucked up ideas about the world, and I have no idea what the solution to that is, if there is one.
The ONLY way to have a fair system is to allow for all sorts of ideas to thrive freely. And the religious might be happy that Bush, McCain, or Obama are the people making decisions for them (okay, technically, the president does very little in the way of legislation, but they're uh symbols for the state of our political understanding and human condition [and another thing I might note is that it's striking how few people actually really do understand the insignifiance of the presidential position {which results in a lot of ridiculous dogma /and perhaps the very expectation that the system should take care of us, since these people aren't even supposed to be making half of the decisions we want them to @and I've never had to go this deep parenthetically before@/}]). But, of course, it is possible that one day they will be quite uncontent with the decision they have made (more passively accepted than made, perhaps). One day soon we might elect some crazy leftist worse than Obama--perhaps as an atheist!! Imagine how the religious right are going to feel then. Before they didn't give a shit, because it didn't matter. It is entirely possible to make them realize the err of their ways.
a whole company???
Give me one and I'll do it.
No one in space would hear you.
Six isn't a power of two? Maybe you meant perfect power.
log2 (6) = 2.5849624
In Firefox, the DNS look-up status notice is called "Looking up...". The thing immediately preceding "Waiting for" is not that, but it is "Connecting to ..." which is an attempt to establish a TCP connection. Thus your problem may lie there moreso than in DNS. At any rate, DNS is a fundamentally slow protocol, but it should not be that slow. The fact that you are in Germany may mean that you are likely to load a wide array of sites under different ccTLDs. There have been study to show that some ccTLDs are really bad offenders at DNS organization; that is: some ccTLD authorities may refer you back and forth to various other nameservers. In one case, if I recall correctly, there was some Japanese domain name for which it took some four hundred queries to resolve. That may or may not be the case with you. Most likely it is not. What is probably happening here is that your local DNS settings, and any forwarders for which the nameservers you're using refer to, may be experiencing a permanent of temporary downtime. It isn't uncommon in the DNS for one server to go down and for people to scarcely notice since the back-ups kick in and things start working immediately, albeit slowly (might it be nice if there were some sort of metric system for DNS? though I would prefer for the security issues to be "resolved" [ahahah] first).
The other more likely thing is that you're experiencing just a general connectivity problem. If you are connected through some sort of wireless service, this is quite common. But you may be experiencing packet loss for a multitude of reasons; it is hard to say. The fact that you seem to have trouble merely connecting to hosts once they're resolved (as much as I can deduce from your post, at least) would indicate this, and it is quite common for such things to happen. DNS becomes monstrously slow in such instances, because it largely relies upon the connection-less UDP. Perhaps you should look into that side of things more closely.
no one gives a shit, you dumb bitch.
You actually said micron isn't an SI unit, which I doubt would be true in any circumstance.
Since he runs his own mail-server, he can actually USE another IP address to send mail to his MX, but it is not possible to "forge an IP address" over TCP, or, at least, it is very statistically impossible.
What a stupid summary. There's absolutely nothing wrong with password resetting. The problem is password security questions or password "hints" or whatever they're called. Whenever I encounter those, I pound on my keyboard until the text field's maximum length is reached, hoping that's sufficiently random and long enough to thwart any brute force or crib-based attacks. It's so bad sometimes that not only do sites require you enter this information, but they also have ridiculously asinine limits on maximum password length and question/answer length. It doesn't matter whether you choose a strong password, if that can be broken by something as insanely weak as an honest answer to one of the 'security questions' that you're provided with on most sites (though some sites let you specify a custom question). Whoever thought up that one was not the brightest crayon in the box, and has no business doing anything with security applications. They may have had the best of intentions, but took a lot of the ideas they've heard from the security field and applied them poorly, which is why you only let EXPERTS design security applications. This is a lot of theater and nothing more, and poor implementation is the classic amateur mistake.
These are the same people who put plain-text passwords in a database or text file and let you "retrieve" your password which they've conveniently stored, unaltered. Sometimes, if they want to feel really clever about themselves, they might upgrade to un-salted MD5. Yay. There needs to be an industry standard system for web applications, or whatever else, designed by someone who knows what they're doing. Don't roll your own security suite. You're most likely not smart enough, even if you think you are. I use Solar Designer's phpass for cryptographic hashing in my web applications, and he has several other good pieces of software that are relevant to the topic.
The process I use for password resets goes like this (starting from the very beginning):
1. user goes to the registration page for my website
2. the user is given guidelines on password strength, but these aren't enforced, because it's their own ass if their account gets compromised (though, if there were any risk to said compromisation, then I would impose strengthening measures)
3. the user provides an e-mail address which must be legitimate (I'm not too keen on this myself, since it's none of my business what anyone's e-mail is, and sites requiring e-mail for registration are annoying, but, if you want any semblance of security, this is probably the way to go)
4. in the back end, the user's plain-text password is converted to salted MD5 or bcrypt (bcrypt for Linux; bcrypt is native to OpenBSD and Openwall Linux) through UNIX crypt()
5. the account is not activated until the user visits a link sent to their inbox, based on a cryptographically secure random confirmation ID (20 bits SHA1)
6. the user forgets his password
7. the user visits the password reset page on my website, inputs their e-mail, and clicks reset
8. a confirmation e-mail is sent to the address on file, complete with a link to a web page on my site with a secure cryptographically generated IP as a GET variable (20 bits SHA1); no password is generated until the link is clicked (or typed in, which I would prefer to clicking, and I don't render e-mail in HTML anyway)
9. once the link is visited, an alternate password is creating using a secure, properly designed and developed cryptographically strong password generation library
10. upon logging in with the new, cryptographically strong password, the old password is deactivated and can no longer be used for logging in
That system is not infallible, but it doesn't require weakening the concept of a password-based system (when such a system is already, inherently, an absurdly flawed and very primitive idea).