Re: Queries regarding forwarders

[Grant Taylor via bind-users]

On 08/09/2018 01:01 AM, Lee wrote:

it does, so you have to flag your local zones as rpz-passthru.


Thank you again Lee.  You gave me exactly what I needed and wanted to know.

I finally got around to configuring my RPZ to filter IPv4 
Special-Purpose Address Registry as per IANA's definition. 
(https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#iana-ipv4-special-registry-1)


I am also happily using rpz-passthru for my local domain(s) that resolve 
to filtered IPs.


Now I'm pontificating augmenting my RPZ to also filter replies that 
resolve to IPv4 BOGONs.  (Received via BGP feed with Team Cymru.)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Dave Warren]

On 2018-10-24 07:24, Timothy Metzinger wrote:
There's no security in obscurity.  Automated port scanners will sweep 
your system in a couple of seconds.


There is *limited* security in obscurity but it's a valid layer. 
Obviously insufficient as an only layer...


As a trivial example, I get orders of magnitude more ESMTP 
authentication attempts against well known/standardized ports 25 and 587 
than non-standard ports that speak the exact same protocol. Last I 
looked, 25 receives substantially more traffic than 587 despite 587 
being the better choice to attack these days.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Grant Taylor via bind-users]

On 10/24/2018 07:24 AM, Timothy Metzinger wrote:

There's no security in obscurity.


Obscurity by itself is not security.

Obscurity can be one many layers of security.


Automated port scanners will sweep your system in a couple of seconds.


Yes, automated scanners can scan all the ports on a system.  That also 
functions as a great indicator that the connecting IPs are doing 
something undesirable.


Moving the port is also a good way to avoid a lot of other scanners that 
are simply looking for specific ports.


If nothing else, moving the port will likely reduce the number of 
connections, which in itself likely reduces noise in logs, which helps 
improve the signal to noise ratio of said logs.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Grant Taylor via bind-users]

On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote:
A server on a non-standard port is often neglected.  Its security may 
be less well maintained than one that is intentionally public.


Why and how do you make that correlation?

Are you implying that some people think that because they've taken one 
step (moving the port) they may think that they don't need to take other 
steps (updating)?


Do you have, or can you point to, data to substantiate this?

I've always found that moving the port is one of many steps done to 
improve security.  The more important steps being stay up to date.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Question about visibility

[John W. Blue]

I agree on using non-standard ports as well.

Moving SSH to a non-standard port is a perfect example of how to actually ID 
bad actors.  It follows that any host connecting to 22 is clearly traffic that 
needs to be dropped and blocked.  And if that host is blocked then any other 
connections it would attempt (eg port 80) are also blocked.  I am reluctant to 
say "one and done" but it is pretty close.

Alternatively, using PF on a BSD with this rule:

pass in on $ext_if proto tcp from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 2/120, overload  flush global)

Will only allow 2 connections within two minutes before the host is blacklisted.

John

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Paul 
Kosinski
Sent: Wednesday, October 24, 2018 11:24 AM
To: bind-users@lists.isc.org
Subject: Re: Question about visibility

Maybe port scanners will find open ports pretty quickly, but I've found that 
using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere, and 
making 22 totally unresponsive discourages most such attempts. This increases 
security slightly a priori, and may also improve security by simplifying the 
firewall log(s).

When using OpenVPN over UDP, the standard port 1194 can be subject to random 
and/or attack packets. These have to be processed and rejected (since their 
HMACs etc. hopefully won't pass decryption). This won't occur in TCP mode, of 
course, but UDP tends to be more efficient, especially since TCP over TCP tends 
to clog up.

P.S. When you come right down to it, *all* computer (software) security is 
"security by obscurity", whether the obscurity of passwords, private keys, etc. 
For example, DES is no longer used because 56-bit keys are no longer obscure 
enough to hide from modern computers.


On Wed, 24 Oct 2018 13:24:41 +
Timothy Metzinger  wrote:

> There's no security in obscurity.  Automated port scanners will sweep 
> your system in a couple of seconds.
> 
> Tim Metzinger
> 
> From: bind-users  on behalf of G.W.
> Haywood via bind-users  Sent: Wednesday, 
> October 24, 2018 12:15:10 PM To: bind-users@lists.isc.org
> Subject: Re: Question about visibility
> 
> Hi there,
> 
> On Wed, 24 Oct 2018, Hardy, Andrew wrote:
> 
> > Further to the original post, as well as not creating a DNS record 
> > and "possibly" adding robot.txt with appropriate content, as 
> > discussed, I presume that if I run the http server on a personally 
> > selected unprivileged port then it is very "unlikely" the site pages 
> > will be indexed/discovered/etc surely?
> >
> > Thoughts?
> 
> A server on a non-standard port is often neglected.  Its security may 
> be less well maintained than one that is intentionally public.
> 
> That's just the sort of thing that criminals are looking for.  They'll 
> probably find it, and then they'll attack it.
> 
> --
> 
> 73,
> Ged.
> ___
> Please visit
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.isc.org%2Fmailman%2Flistinfo%2Fbind-usersdata=02%7C01%7C%7C0b80
> 5cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435%7C1%7C
> 0%7C636759801644561901sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSbl
> AfVbLI%3Dreserved=0 m/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users
> ata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb4
> 35%7C1%7C0%7C636759801644561901=CqjF4k0IMJVEbFnKVPzf
> lLNxc8LyguCF7iSblAfVbLI%3D=0>
> to unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.isc.org%2Fmailman%2Flistinfo%2Fbind-usersdata=02%7C01%7C%7C0b80
> 5cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435%7C1%7C
> 0%7C636759801644561901sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSbl
> AfVbLI%3Dreserved=0 m/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users
> ata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb4
> 35%7C1%7C0%7C636759801644561901=CqjF4k0IMJVEbFnKVPzf
> lLNxc8LyguCF7iSblAfVbLI%3D=0>
> 
> Tim Metzinger
> 703.963.3015
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolve - send query via specific network device

[Grant Taylor via bind-users]

On 10/24/2018 03:58 AM, Matus UHLAR - fantomas wrote:
It uses routing tables to decide this, so you can force it to use 
alternative route.


It's also possible to use the routing table to specify which source IP 
is used for a given route.


This is handy to specify the source IP to use if you have multiple IPs 
on the same outgoing interface.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Paul Kosinski]

Maybe port scanners will find open ports pretty quickly, but I've found
that using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere,
and making 22 totally unresponsive discourages most such attempts. This
increases security slightly a priori, and may also improve security by
simplifying the firewall log(s).

When using OpenVPN over UDP, the standard port 1194 can be subject to
random and/or attack packets. These have to be processed and rejected
(since their HMACs etc. hopefully won't pass decryption). This won't
occur in TCP mode, of course, but UDP tends to be more efficient,
especially since TCP over TCP tends to clog up.

P.S. When you come right down to it, *all* computer (software) security
is "security by obscurity", whether the obscurity of passwords, private
keys, etc. For example, DES is no longer used because 56-bit keys are no
longer obscure enough to hide from modern computers.


On Wed, 24 Oct 2018 13:24:41 +
Timothy Metzinger  wrote:

> There's no security in obscurity.  Automated port scanners will sweep
> your system in a couple of seconds.
> 
> Tim Metzinger
> 
> From: bind-users  on behalf of G.W.
> Haywood via bind-users  Sent: Wednesday,
> October 24, 2018 12:15:10 PM To: bind-users@lists.isc.org
> Subject: Re: Question about visibility
> 
> Hi there,
> 
> On Wed, 24 Oct 2018, Hardy, Andrew wrote:
> 
> > Further to the original post, as well as not creating a DNS record
> > and "possibly" adding robot.txt with appropriate content, as
> > discussed, I presume that if I run the http server on a personally
> > selected unprivileged port then it is very "unlikely" the site pages
> > will be indexed/discovered/etc surely?
> >
> > Thoughts?
> 
> A server on a non-standard port is often neglected.  Its security may
> be less well maintained than one that is intentionally public.
> 
> That's just the sort of thing that criminals are looking for.  They'll
> probably find it, and then they'll attack it.
> 
> --
> 
> 73,
> Ged.
> ___
> Please visit
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-usersdata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435%7C1%7C0%7C636759801644561901sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3Dreserved=0
> to unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-usersdata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435%7C1%7C0%7C636759801644561901sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3Dreserved=0
> 
> Tim Metzinger
> 703.963.3015
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Timothy Metzinger]

There's no security in obscurity.  Automated port scanners will sweep your 
system in a couple of seconds.

Tim Metzinger

From: bind-users  on behalf of G.W. Haywood 
via bind-users 
Sent: Wednesday, October 24, 2018 12:15:10 PM
To: bind-users@lists.isc.org
Subject: Re: Question about visibility

Hi there,

On Wed, 24 Oct 2018, Hardy, Andrew wrote:

> Further to the original post, as well as not creating a DNS record
> and "possibly" adding robot.txt with appropriate content, as
> discussed, I presume that if I run the http server on a personally
> selected unprivileged port then it is very "unlikely" the site pages
> will be indexed/discovered/etc surely?
>
> Thoughts?

A server on a non-standard port is often neglected.  Its security may
be less well maintained than one that is intentionally public.

That's just the sort of thing that criminals are looking for.  They'll
probably find it, and then they'll attack it.

--

73,
Ged.
___
Please visit 
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-usersdata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435%7C1%7C0%7C636759801644561901sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3Dreserved=0
 to unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-usersdata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435%7C1%7C0%7C636759801644561901sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3Dreserved=0

Tim Metzinger
703.963.3015

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[G.W. Haywood via bind-users]

Hi there,

On Wed, 24 Oct 2018, Hardy, Andrew wrote:


Further to the original post, as well as not creating a DNS record
and "possibly" adding robot.txt with appropriate content, as
discussed, I presume that if I run the http server on a personally
selected unprivileged port then it is very "unlikely" the site pages
will be indexed/discovered/etc surely?

Thoughts?


A server on a non-standard port is often neglected.  Its security may
be less well maintained than one that is intentionally public.

That's just the sort of thing that criminals are looking for.  They'll
probably find it, and then they'll attack it.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Hardy, Andrew]

Further to the original post, as well as not creating a DNS record and
"possibly" adding robot.txt with appropriate content, as discussed, I
presume that if I run the http server on a personally selected unprivileged
port then it is very "unlikely" the site pages will be
indexed/discovered/etc surely?

Thoughts?

Thanks.


On Sun, Oct 21, 2018, 20:32 N6ghost  wrote:

> On Thu, 11 Oct 2018 15:39:55 -0400
> Barry Margolin  wrote:
>
> > In article ,
> >  Dennis Clarke  wrote:
> >
> > > On 10/11/2018 03:21 PM, Leonardo Rodrigues wrote:
> > > > Em 11/10/18 16:13, Barry Margolin escreveu:
> > > >>
> > > >> If you accidentally, or someone else intentionally, create a
> > > >> link to the site that uses the IP and put it on a web page that
> > > >> Google can get to, it will probably find the page.
> > > >>
> > > >>
> > > >
> > > >  robots.txt, on your website root, is your friend. Simply
> > > > deny web crawling on it, and you're (probably) done.
> > > >
> > >
> > > If you believe robots.txt means anything at all.
> >
> > Google is known to obey it, and the question was about avoiding
> > getting your site indexed by Google.
> >
> > Of course, that doesn't mean someone won't find the site on their
> > own. If the link to it is on some other page that isn't blocked by
> > robots.txt, someone might stuble across that page and then click on
> > the link.
> >
> > But if you're mainly worried about someone googling the words that
> > are on your website and Google sending them to the development
> > version instead of the production version, you're pretty safe.
> >
> > Actually, DNS has very little impact on this at all. AFAIK, Google
> > doesn't crawl DNS, it just crawls web pages and follows links. My
> > company's development server is in DNS, and it's not firewalled (we
> > all work from our homes, there's no company network to restrict
> > access with), but I've never heard of anyone accidentally being
> > directed there by Google, because we don't publish links to this
> > server.
> >
>
> robot.txt is suppose to govern whats indexed... not sure how well its
> followed nowadays but thats the process for it.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding TTL in "rndc dumpdb"-output

[Michał Kępień]

> I've checked the serve-stale status, which is currently off.
> # rndc serve-stale status
> _default: off (stale-answer-ttl=1 max-stale-ttl=604800)
> _bind: off (stale-answer-ttl=1 max-stale-ttl=604800)
> 
> Is this a normal behavior, that in the "rndc dumpdb" nevertheless the TTL in
> the form of "serve-stale" is shown (even if the serve-stale-status = off)?

Yes, this is normal.

Once again (please take another look at the parenthesized part of my
previous response), max-stale-ttl is separate from stale-answer-enable.

-- 
Best regards,
Michał Kępień
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolve - send query via specific network device

[Tony Finch]

Stern, Eli  wrote:

> Using the client side of Bind in a similar manner to the "resolve"
> sample (resolve.c).
>
> How does one force the queries to be sent via a specific network device?

Look at the -b option in `lib/sample/resolve.c`.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Rockall, Malin: West 5 to 7. Rough or very rough, occasionally moderate in
Malin. Occasional rain. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolve - send query via specific network device

[Matus UHLAR - fantomas]

On 24.10.18 09:47, Stern, Eli wrote:

Using the client side of Bind in a similar manner to the "resolve" sample 
(resolve.c).

How does one force the queries to be sent via a specific network device?
E.g. using the "bind()" system call or ioctl(SO_BINDTODEVICE)?


you can only configure outgoing IP address in BIND by using e.g. query-source
option.


OS: Linux.


the OS decides how to send packets, including which interface to send from. 
It uses routing tables to decide this, so you can force it to use

alternative route.

Try looking at http://linux-ip.net/html/routing-tables.html
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

resolve - send query via specific network device

[Stern, Eli]

Using the client side of Bind in a similar manner to the "resolve" sample 
(resolve.c).

How does one force the queries to be sent via a specific network device?
E.g. using the "bind()" system call or ioctl(SO_BINDTODEVICE)?

OS: Linux.


-
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users