Re: DNS can be a subdomain

[Grant Taylor via bind-users]

I think we may be talking past each other. I was referring to (client) machine 
trust accounts inside of AD, not hostnames in DNS.

I now think you are referring to the latter. I can see how that can work.



-- 
Grant. . . .
unix || die

smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain name based multihome routing?

[Grant Taylor via bind-users]

On Jun 27, 2018, at 12:27 PM, Darcy Kevin (FCA)  
wrote:
> I’m not convinced DNS has any valuable role to play here.

I can see the value for services that have FQDNs that resolve to IP addresses 
outside of their ASN(s) like Google / YouTube.



-- 
Grant. . . .
unix || die

smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain name based multihome routing?

[Grant Taylor via bind-users]

On Jun 27, 2018, at 11:59 AM, Dale Mahalko  wrote:
> Guessing the potential background domains used by Microsoft / Steam, etc and 
> monitoring bandwidth used by those domains is unfortunately the only option 
> available.

If you can get information on the IP addresses associated with their ASN(s) you 
could route them out the DSL connection.

This might not work well for Google / YouTube or any other service that uses 
IPs outside of their ASNs.



-- 
Grant. . . .
unix || die

smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Stopping name server abuse

[Darcy Kevin (FCA)]

IANAL, but even if one considers this scenario to constitute a DDoS attack, and 
there is plenty of case law supporting prosecution under CFAA (Computer Fraud 
and Abuse Act) for DDoS attacks, CFAA generally requires *intent*, and this 
appears to be simple negligence.

"Trespass to chattel" might be another possibility, but only as a civil (not 
criminal) complaint. And one would have to prove damages, which might be 
difficult to assess, or simply _de_minimis_.


- Kevin

-Original Message-
From: bind-users  On Behalf Of Barry Margolin
Sent: Tuesday, June 26, 2018 10:42 AM
To: comp-protocols-dns-b...@isc.org
Subject: Re: Stopping name server abuse

In article ,
 Paul Kosinski  wrote:

> Somebody who has irresponsibly (and apparently wantonly, given his 
> refusal to fix it) delegated his domain(s) to your DNS server is 
> essentially causing a (modest bandwidth) distributed denial of service 
> attack on your server. I don't think that the "responsible" thing to 
> do is to sit there and suffer from a significantly increased load.

Good luck getting him prosecuted under any kind of computer abuse law. 
That would be like calling the cops on a sibling who is poking you, claiming 
that it's assault.

> What should be done is to get the domain(s) revoked if the owner 
> continues to refuse to remedy the problem: it is *he*, not you, who is 
> being irresponsible. And if the queries are coming via an innocent 
> ISP's resolver, then they are inadvertently assisting in the attack, 
> and should be contacted and asked to help in the remediation. (Note 
> that *their* resources, as well as yours, are being wasted.)

I doubt any ISPs will do anything about it. It's probably negligible relative 
to their total DNS volume, and would be more trouble than it's worth to add 
filters to block it.

The domain registrar is the place to go, I expect most of them have standard 
procedures for exactly this problem.

--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS can be a subdomain

[Darcy Kevin (FCA)]

Domain Controllers certainly need to have their hostnames registered in the AD 
domain, but regular domain-joined members do *not*. We've been running AD for 
decades, without registering members in the AD domain. Works fine. Instead, we 
get our (non-Microsoft) DHCP servers to register dynamic clients automatically 
in a vendor-agnostic zone hosted on BIND (actually, Infoblox running modified 
BIND under the covers), and servers, whether Windows or not, get manually 
registered in various vendor-agnostic zones. The only hostnames in our AD 
domain are the Domain Controllers, and those hostnames are redundant with what 
exists in the vendor-agnostic zones. The reverse records point back to the 
vendor-agnostic-zone names.

Microsoft calls this architecture a "disjoint namespace", which is slightly 
derogatory. According to 
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace,
 disjoint namespaces are "more complex" (which is rich, coming from Microsoft, 
inventor of aging, scavenging and "tombstone records" for their DNS) and cites 
various caveats and disadvantages. But it's fully supported. I just had a word 
with one of our AD experts, and he reminded me that, with a disjoint namespace, 
you need to take some care to define the "disjointed" namespaces as being 
authorized for SPN generation (we did that a long time ago, and I had forgotten 
that step). But that's one of the few "gotchas" associated with disjoint 
namespaces.


- Kevin

-Original Message-
From: bind-users  On Behalf Of Grant Taylor 
via bind-users
Sent: Wednesday, June 27, 2018 12:35 AM
To: bind-users@lists.isc.org
Subject: Re: DNS can be a subdomain

On 06/26/2018 10:21 PM, Mark Andrews wrote:
> And if you are not using AD you can use SIG(0) and KEY records to 
> allow hosts to authenticate updates to the DNS for their own records.

I'm not quite following.  Do you mean that you can allow hosts to update their 
own RRs without requiring AD and using SIG(0) as an alternative?

Or are you saying forego AD (and Kerberos) and use SIG(0) instead?

#confused

> Instead of registering a host with AD you add a KEY record into the 
> DNS which has the public key of the host which is to be used to sign 
> the UPDATE requests.

If you're using AD for (presumably) Windows networking (and all that
entails) you very likely want the workstations to be registered with AD. 
  The machine trust accounts are pertinent to AD's operation and the 
workstation's ability to access AD resources when users aren't logged in.

#stillConfused

> Unfortunately OS developers have been asleep at the wheel by not 
> adding support for this to their products.

I'm seeing more and more references to SIG(0) in the last couple of weeks.  I 
think I need to refresh myself on it.



-- 
Grant. . . .
unix || die

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain name based multihome routing?

[Paul Kosinski]

We do something somewhat similar with our LAN. We have a new cable
connection and an old DSL connection. The cable is 60x faster, but has
a dynamic IP and blocks various ports (esp. 25), so we keep the DSL so
we can send email directly etc.

Obviously, we don't want to stream video or even do much Web browsing
over the DSL. So we have set up a Linux computer to serve as a gateway
and firewall: it runs IPtables, Privoxy, HAVP (virus filter for HTTP),
ClamAV and even Bind (a 3rd DNS server for our small domains).

This works fairly straightforwardly because decision as to whether to
use cable or DSL is made according to the *source* IP address, rather
than the destination IP address (or domain name, or port). Since
many browsers (we use Firefox) and other Internet software have the
ability to specify a proxy for Internet access, we usually connect them
to a proxy server on the gateway which in turn binds to an alias IP on
either the NIC connected to the DSL modem or the cable modem.

Then we have 2 routing tables, the default one for the (original) DSL
and a second one for cable. Each routing table gas its own default
route, and each is 'via' the corresponding modem.  To decide which way
packets go, we make use of a 'rule' table (iproute2) which says which
routing table to use. It has entries generated by iproute2 functions
such as:

  /sbin/ip rule add from lookup cable
  /sbin/ip rule add to lookup cable
  /sbin/ip rule add iif  br2   lookup cable

This last rule says the *everything* from (sub) LAN 2 goes via cable.
This allows whole sets of devices (such as our computer dedicated to TV)
to be connected strictly to cable.

Note that even though you bind to an alias IP on the NIC physically
connected to a specific modem, if that modem isn't the overall default
route, you still need a 'rule' to make the kernel do the right thing.

In summary, this scheme does not give you totally automatic control of
what kind of traffic goes by what physical link, but it does allow
different browser instances on a single computer to use different
physical links via proxying, plus it easily allows different devices on
the LAN to be handled differently (since they each have their own IP
address).

--

On Wed, 27 Jun 2018 13:17:41 -0500
Dale Mahalko  wrote:

> On Wed, Jun 27, 2018 at 12:27 PM, Darcy Kevin (FCA) <
> kevin.da...@fcagroup.com> wrote:
> 
> > I’m not convinced DNS has any valuable role to play here. Seems
> > like this is a traffic-shaping challenge; maybe one of the open
> > source traffic shaping tools would fit the bill.
> >
> 
> A Google search for multihome traffic shaping yields nothing obvious.
> 
> Do you have specific details you can share about exactly how that
> would be done?
> 
> Also how is traffic shaping going to tell the difference between a
> background Apple iOS update or Windows update that need to use the
> DSL, and the high priority data streams that are more important to
> me, that need to use the cellular modem?
> 
> 
> Shaping is not routing, it just prioritizes some data streams over
> others. I don't see how shaping is going to know whether to use the
> DSL or the Cellular ... without inspecting the domain name before a
> connection is established which is what I'm already discussing
> here...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Domain name based multihome routing?

[Darcy Kevin (FCA)]

Traffic shaping is not my area of expertise, but from what I understand, at a 
minimum it can classify different kinds of traffic, based on more reliable 
metrics than DNS name. I was assuming (perhaps incorrectly), that its output 
(QoS markings or CoS or whatever) could then be used in a degenerate mode to 
force certain types of traffic over particular WAN connections, by manipulating 
costs, thresholds, etc.

In a quick scan, I found this article 
https://turbofuture.com/computers/How-to-Configure-Deep-Packet-Inspection-Using-pfSense
 (URL is misleading; the vast majority of the article isn’t about DPI at all). 
This shows a pfSense “wizard” that generates different profiles depending on 
your particular combination of single/multiple WANs and/or LANs. What I take 
from the guide is that the traffic shaping can know about your WAN setup and 
can be tweaked to push the traffic the way you want it to, over different WAN 
links.

I might be completely off-base on this, but it seems like a more fruitful line 
of research/inquiry than determining traffic profiles based on DNS names, and 
then hacking BIND to manipulate your routing table on-the-fly. That seems to me 
fraught with challenges, risks and limitations.



- Kevin


From: Dale Mahalko 
Sent: Wednesday, June 27, 2018 2:18 PM
To: Darcy Kevin (FCA) 
Cc: bind-users@lists.isc.org
Subject: Re: Domain name based multihome routing?

On Wed, Jun 27, 2018 at 12:27 PM, Darcy Kevin (FCA) 
mailto:kevin.da...@fcagroup.com>> wrote:
I’m not convinced DNS has any valuable role to play here. Seems like this is a 
traffic-shaping challenge; maybe one of the open source traffic shaping tools 
would fit the bill.

A Google search for multihome traffic shaping yields nothing obvious.

Do you have specific details you can share about exactly how that would be done?

Also how is traffic shaping going to tell the difference between a background 
Apple iOS update or Windows update that need to use the DSL, and the high 
priority data streams that are more important to me, that need to use the 
cellular modem?


Shaping is not routing, it just prioritizes some data streams over others. I 
don't see how shaping is going to know whether to use the DSL or the Cellular 
... without inspecting the domain name before a connection is established 
which is what I'm already discussing here...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain name based multihome routing?

[Dale Mahalko]

On Wed, Jun 27, 2018 at 12:27 PM, Darcy Kevin (FCA) <
kevin.da...@fcagroup.com> wrote:

> I’m not convinced DNS has any valuable role to play here. Seems like this
> is a traffic-shaping challenge; maybe one of the open source traffic
> shaping tools would fit the bill.
>

A Google search for multihome traffic shaping yields nothing obvious.

Do you have specific details you can share about exactly how that would be
done?

Also how is traffic shaping going to tell the difference between a
background Apple iOS update or Windows update that need to use the DSL, and
the high priority data streams that are more important to me, that need to
use the cellular modem?


Shaping is not routing, it just prioritizes some data streams over others.
I don't see how shaping is going to know whether to use the DSL or the
Cellular ... without inspecting the domain name before a connection is
established which is what I'm already discussing here...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain name based multihome routing?

[Dale Mahalko]

Due to the fact that I don't have the ability to program this experiment
myself without spending a couple more years to improve my coding skills,
could I interest anyone else here to do the programming work?

I would prefer someone who is associated with ISC who sounds like they
already know the code, like Mark Andrews.

I would pay for your time on this, and the results would be free open
source for anyone else to use.. and could be included as an extension of
the standard code if the maintainers would allow it.

Though if you want more than about US$500 for your efforts, then I will
probably have to try to get others involved on a crowdfunding website to
cover the costs.

Dale Mahalko, Gilman, WI



Living on a rural 35-cow organic dairy farm, ten miles from the nearest
town, on a slow CenturyLink 1.5 meg DSL and no way to upgrade.

The CenturyLink remote terminal near us has been "in exhaust" for the last
15 years, and they are unwilling to install the necessary 10 mile / 16 km
fiber backhaul to their DSLAM cabinet, even though we are in an area that
qualifies for Connect America Fund - Phase II (CAF-II) funding assistance
from the federal government to get the fiber installed.

CenturyLink has discretion to "divert" the CAF-II funds to other things if
they want and it appears that has happened, so we will remain trapped with
this poor level of landline service unless I go to extremes to try to find
something better.

I get about 2-3 bars on the iPhone, so I am preparing to spend about $600
on a MOFI 4500 cell modem and some huge outdoor dual-MIMO yagi WirEng
cellular modem antennas to go on the roof of the house to boost the signal.

(Satellite is unacceptable. I require low latency for remote desktop, work
from home, gaming, etc.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Domain name based multihome routing?

[Darcy Kevin (FCA)]

I’m not convinced DNS has any valuable role to play here. Seems like this is a 
traffic-shaping challenge; maybe one of the open source traffic shaping tools 
would fit the bill.



- Kevin


From: bind-users  On Behalf Of Dale Mahalko
Sent: Wednesday, June 27, 2018 1:00 PM
To: bind-users@lists.isc.org
Subject: Re: Domain name based multihome routing?

There is no way to know if this is the "right" or "wrong" approach without 
actually trying it and see what happens.

Guessing the potential background domains used by Microsoft / Steam, etc and 
monitoring bandwidth used by those domains is unfortunately the only option 
available. It's not like any of these companies are willing to outright divulge 
anything about these background details to anyone outside their business.

As far as load on the router goes for keeping track of possibly tens of 
thousands of custom routes, I am fine with dedicating a fast Intel i5 or i7 and 
a couple gigabytes of memory to the job. Most routers are tiny little things 
with very little CPU needed for normal routing, with the heavy lifting only 
happening if encryption is needed for a bunch of VPN connections.

On Wed, Jun 27, 2018 at 9:16 AM, Matus UHLAR - fantomas 
mailto:uh...@fantomas.sk>> wrote:
On Tue, Jun 26, 2018 at 12:45 PM, Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
Are you saying that you want to dynamically update routes to IPs resolved
in real time to specific host / domain names?  Such that traffic to
specific hosts / domain names is routed over DSL?  With things that don't
match conditions routed over cell?

I think I understand what you want to do and why you want to do it.

It seems like you're using named as the source of information to feed into
the process that dynamically updates routing.

I find the pausing of named to be questionable.  But I understand that you
want to make sure that no connections are started until after the
(re)routing has been done.

On 26.06.18 14:07, Dale Mahalko wrote:
(I am no programming expert as mentioned, but I do IT stuff for a living,
so..)

The pause would only be long enough to look for a regex domain pattern to
be routed to the DSL, and then creating the route. This pause can likely be
measured in nanoseconds.

I don't think this could be done in nanoseconds. Maybe microseconds, but
more probably miliseconds.

Another question would be, how fast your router can be with potentially
thousands of routes (I know, many OSes have routing optimised very hardly).
This would likely be a multithreaded asynchronous mechanism so that BIND
does each of its lookups as usual, and then forks a followup thread after
it completes its normal lookup process, to do the pattern match and route
creation, followed by the delayed response released when the
pattern-match/route-creation thread terminates.

So in general using multithreading, there would be no real impact to
programs requesting the lookups, other than a delay per lookup that is so
small it would not be noticeable to an end-user human.

I think that you are trying wrong approach, using wrong tools.
Guessing the potential usage from DNS is not a goog idea.

On your router, configure firewall to route selected protocols (gaming, ssh,
RDP, dns) and maybe later some sites to paid cellular and router everything
other to DSL.

Note that at my home, most of data is spend by my children watching youtube
videos - I don't think that routing general web and streaming services to
cell connection would help you with anything.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; 
http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain name based multihome routing?

[Dale Mahalko]

There is no way to know if this is the "right" or "wrong" approach without
actually trying it and see what happens.

Guessing the potential background domains used by Microsoft / Steam, etc
and monitoring bandwidth used by those domains is unfortunately the only
option available. It's not like any of these companies are willing to
outright divulge anything about these background details to anyone outside
their business.

As far as load on the router goes for keeping track of possibly tens of
thousands of custom routes, I am fine with dedicating a fast Intel i5 or i7
and a couple gigabytes of memory to the job. Most routers are tiny little
things with very little CPU needed for normal routing, with the heavy
lifting only happening if encryption is needed for a bunch of VPN
connections.

On Wed, Jun 27, 2018 at 9:16 AM, Matus UHLAR - fantomas 
wrote:

> On Tue, Jun 26, 2018 at 12:45 PM, Grant Taylor via bind-users <
>> bind-users@lists.isc.org> wrote:
>>
>>> Are you saying that you want to dynamically update routes to IPs resolved
>>> in real time to specific host / domain names?  Such that traffic to
>>> specific hosts / domain names is routed over DSL?  With things that don't
>>> match conditions routed over cell?
>>>
>>
> I think I understand what you want to do and why you want to do it.
>>
>
> It seems like you're using named as the source of information to feed into
>>> the process that dynamically updates routing.
>>>
>>> I find the pausing of named to be questionable.  But I understand that
>>> you
>>> want to make sure that no connections are started until after the
>>> (re)routing has been done.
>>>
>>
> On 26.06.18 14:07, Dale Mahalko wrote:
>
>> (I am no programming expert as mentioned, but I do IT stuff for a living,
>> so..)
>>
>> The pause would only be long enough to look for a regex domain pattern to
>> be routed to the DSL, and then creating the route. This pause can likely
>> be
>> measured in nanoseconds.
>>
>
> I don't think this could be done in nanoseconds. Maybe microseconds, but
> more probably miliseconds.
>
> Another question would be, how fast your router can be with potentially
> thousands of routes (I know, many OSes have routing optimised very hardly).
>
> This would likely be a multithreaded asynchronous mechanism so that BIND
>> does each of its lookups as usual, and then forks a followup thread after
>> it completes its normal lookup process, to do the pattern match and route
>> creation, followed by the delayed response released when the
>> pattern-match/route-creation thread terminates.
>>
>> So in general using multithreading, there would be no real impact to
>> programs requesting the lookups, other than a delay per lookup that is so
>> small it would not be noticeable to an end-user human.
>>
>
> I think that you are trying wrong approach, using wrong tools.
> Guessing the potential usage from DNS is not a goog idea.
>
> On your router, configure firewall to route selected protocols (gaming,
> ssh,
> RDP, dns) and maybe later some sites to paid cellular and router everything
> other to DSL.
>
> Note that at my home, most of data is spend by my children watching youtube
> videos - I don't think that routing general web and streaming services to
> cell connection would help you with anything.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> M$ Win's are shit, do not use it !
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS can be a subdomain

[Bob McDonald]

Hmmm...  My understanding was that the only requirement was that the DNS
server pointed to by the AD DC (in this case the AD is managed by SAMBA)
had to be authoritative for the domain in DNS which represented the
matching AD domain. This was a common holy war between MCSE folks and Bind
groupies. If you drank the Microsoft cool aid in the early days, you
staunchly believed that DNS had to be AD integrated on the AD DCs. That's
just not the case.

Again that's my understanding.

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Domain name based multihome routing?

[Matus UHLAR - fantomas]

On Tue, Jun 26, 2018 at 12:45 PM, Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

Are you saying that you want to dynamically update routes to IPs resolved
in real time to specific host / domain names?  Such that traffic to
specific hosts / domain names is routed over DSL?  With things that don't
match conditions routed over cell?



I think I understand what you want to do and why you want to do it.



It seems like you're using named as the source of information to feed into
the process that dynamically updates routing.

I find the pausing of named to be questionable.  But I understand that you
want to make sure that no connections are started until after the
(re)routing has been done.


On 26.06.18 14:07, Dale Mahalko wrote:

(I am no programming expert as mentioned, but I do IT stuff for a living,
so..)

The pause would only be long enough to look for a regex domain pattern to
be routed to the DSL, and then creating the route. This pause can likely be
measured in nanoseconds.


I don't think this could be done in nanoseconds. Maybe microseconds, but
more probably miliseconds.

Another question would be, how fast your router can be with potentially
thousands of routes (I know, many OSes have routing optimised very hardly).


This would likely be a multithreaded asynchronous mechanism so that BIND
does each of its lookups as usual, and then forks a followup thread after
it completes its normal lookup process, to do the pattern match and route
creation, followed by the delayed response released when the
pattern-match/route-creation thread terminates.

So in general using multithreading, there would be no real impact to
programs requesting the lookups, other than a delay per lookup that is so
small it would not be noticeable to an end-user human.


I think that you are trying wrong approach, using wrong tools.
Guessing the potential usage from DNS is not a goog idea.

On your router, configure firewall to route selected protocols (gaming, ssh,
RDP, dns) and maybe later some sites to paid cellular and router everything
other to DSL.

Note that at my home, most of data is spend by my children watching youtube
videos - I don't think that routing general web and streaming services to
cell connection would help you with anything.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS can be a subdomain

[Elias Pereira]

@all

I still do not see any relevant point that will take the DNS authority
leaving the AD and do something to resolve your queries. As the wiki says,
security is essential and you do not have to risk it and let the data be
compromised.

And remember, I'm at an education institute with courses in computer
science and information security. There will always be some "smart guys"
who will try to do something illegal.

I will run some tests with dns as a subdomain and I will come back here to
give you a feedback.

Thank you for now!



On Wed, Jun 27, 2018 at 1:35 AM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 06/26/2018 10:21 PM, Mark Andrews wrote:
> > And if you are not using AD you can use SIG(0) and KEY records to allow
> > hosts to authenticate updates to the DNS for their own records.
>
> I'm not quite following.  Do you mean that you can allow hosts to update
> their own RRs without requiring AD and using SIG(0) as an alternative?
>
> Or are you saying forego AD (and Kerberos) and use SIG(0) instead?
>
> #confused
>
> > Instead of registering a host with AD you add a KEY record into the DNS
> > which has the public key of the host which is to be used to sign the
> > UPDATE requests.
>
> If you're using AD for (presumably) Windows networking (and all that
> entails) you very likely want the workstations to be registered with AD.
>   The machine trust accounts are pertinent to AD's operation and the
> workstation's ability to access AD resources when users aren't logged in.
>
> #stillConfused
>
> > Unfortunately OS developers have been asleep at the wheel by not adding
> > support for this to their products.
>
> I'm seeing more and more references to SIG(0) in the last couple of
> weeks.  I think I need to refresh myself on it.
>
>
>
> --
> Grant. . . .
> unix || die
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
Elias Pereira
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users