Re: Problems with NS*.worldnic.com
something *very* strange is going on. the worldnic servers have been giving delayed or no results for days now. and nsi is hoping we and the wsj/nyt won't notice. I agree 100%. but it's probably time for us all to dump symptoms here and figure it out as a community, as the dog with the bone ain't 'fessing up. randy I'll bite. I couldn't resolve ns*.worldnic.com domains until I finally bit the bullet, and unblocked port 53 TCP from my DNS server. Then it worked fine. (after a few tries) I'm using BIND 9.2.4 without the eye pee vee six stuff compiled in. Because I don't want to start something; No discussion about me blocking port 53, ok? I got tired of gobs of log files of script kiddies trying to download my domains 5 years ago... I actually READ my logs besides, I had to keep the linux boxes safe from the tyranny of bind 8 until they got upgraded. :-) -Jerry
Re: Problems with NS*.worldnic.com
On Mon, 25 Apr 2005 22:19:51 PDT, william(at)elan.net said: Perhaps a solution is to specifically enable ipv6 dns resolution as preferable to ipv4 or the other way around. This could perhaps be switch in resolv.conf or nsswitch.conf. Something like: /etc/resolv.conf search example.com protocol ipv6 ipv4 At least on my system, there's an 'options inet6' line that makes it look for records, and mapping ipv4 into ipv6 addresses if only an A record is found. Also note that it doesn't fix the problem that's being seen - I might be able to contact the nameservers listed in resolv.conf via both IPv4 and IPv6 - the fun starts when my nameserver gets an NS entry that contains an record, and the nameserver has enough IPv6 connectivity to think it's worth a try, but you can't get there from here... pgpnXnSYEg9RG.pgp Description: PGP signature
Re: Problems with NS*.worldnic.com
Have to say we see no issues here with the worldnic.com nameservers, other than they appear to be located on the same physical network. I think people should post queries that fail, including date/time, and full dig output for that query from the server they used, and the version of recursive nameserver used. Otherwise it is purely speculative guess work to figure out if it is a DNS delegation issue, or something else (network congestion?). No one should be surprised that a DNS request may be truncated and switched to TCP, that is in the RFCs. Although the servers in question run BIND9 so presumably support EDNS0, which suggests those seeing truncation may be running rather old code, or unusual recursive resolvers. The worldnic.com and worldnic.net appear to use the MMDDVV convention for SOA serial numbers, and so it would appear nothing has changed their end in terms of zone data for at least five months in terms of zone file settings. All looks rosy from here.
Re: Qwest protests SBC-ATT merger as harmful to competition
On Tue, 19 Apr 2005, Justin M. Streiner wrote: If Qwest would have won the bid, then it would be up to Verizon to cry foul - and rest assured they would. Funny how that works :-) We may yet see that happening as it appears the bidding war is far from over - latest news article on this issue (also reporting on Qwest being upset over SBC+ATT deal) says that Qwest increased its bid and now MCI says Qwest bid is superior...: http://news.com.com/Qwest+to+turn+up+heat+on+SBC-AT38T+merger+fight/2100-1036_3-5683932.html Oh and BTW, you wanna know who likes this kind of a deal? Well - apparently its the Union!: http://www.lightreading.com/document.asp?site=lightreadingdoc_id=72768 And you know what their reason is? It seems they care a lot about national security, in fact here is how they see it: The merger makes certain that national security will be safeguarded, by ensuring that ATT, on which the government heavily depends for national security and other needs, will be a strong American company, Both mergers stink to high heaven. And we can probably rest assured that the FCC does not have the consumers' best interest in mind. They haven't for quite a long time. Wanna know how and why that happened? Let me explain to you on related example. Lets take Inter-American Telecommunication Commission which up until now was made up of people who were interested in best technology and how it can best meet consumer demands and interests. But not any more: http://www.time.com/time/magazine/article/0,9171,1053595,00.html The Inter-American Telecommunication Commission meets three times a year in various cities across the Americas to discuss such dry but important issues as telecommunications standards and spectrum regulations. But for this week's meeting in Guatemala City, politics has barged onto the agenda. At least four of the two dozen or so U.S. delegates selected for the meeting, sources tell TIME, have been bumped by the White House because they supported John Kerry's 2004 campaign. Apparently politics is in and consumer interests are out, especially for current administration who knows how to separate those who gave them money from those who did not (in fact this administration's actions will easily dispel any myths that if Europe is full of corruption and its full of liberals, then its the liberal politicians who are most easily corrupted). So aint it great when your vote counts like that? Well, it might even have been better if it counted as much as the $$$ given to the right politicians So now guess, who has money to give to the right place, big company like SBC who's contribution you can easily see and remember or number of individuals with diverse reasons and backgrounds. And then of course we have FCC appointed by politicians, but tasked with having to decide in best interests of those individuals, or is it? And coming to parallel topic of discussions, we now have calls (by guess who...) for having IP registrations (and ICANN in general) be taken over by ITU, so that process can be controlled and administered by government. So apparently current system where ip registrations and policies are controlled primarily by the consumers of those resources through the non-profit organizations is not quite what the governments of the world like - no, its large monopoly telcos that they prefer! -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Problems with NS*.worldnic.com
Suresh Ramasubramanian wrote: I'd say fix the resolver to not try resolve v6 where there exists no v6 connectivity I'd say fix the broken v6 connectivity. - Kevin
Re: Problems with NS*.worldnic.com
On Tue, 26 Apr 2005, Simon Waters wrote: Have to say we see no issues here with the worldnic.com nameservers, other than they appear to be located on the same physical network. I think people should post queries that fail, including date/time, and full dig output for that query from the server they used, and the version of recursive nameserver used. Otherwise it is purely speculative guess work to figure out if it is a DNS delegation issue, or something else (network congestion?). I think I suggested similar yesterday as did Mr. Bush. The worldnic.com and worldnic.net appear to use the MMDDVV convention for SOA serial numbers, and so it would appear nothing has changed their end in terms of zone data for at least five months in terms of zone file settings. Interesting, I thought the worldnic.com servers were NSI's 'free hosting for domains you registered through us' servers, which would imply they get changed 'frequently' no?
Re: Problems with NS*.worldnic.com
lots of folk sent email to me and not the list. most report worldnic responding with tcp 53 and not udp. would love to hear confirmation on list. can think of a number of causes, one possible, but just a stab in the dark, would be an intentional hack as a defense to a spoofed-ip attack. what are some names known to be hosted on worldnic? randy
Re: Problems with NS*.worldnic.com
At 21:34 -0700 4/25/05, Rodney Joffe wrote: The culprit is dig. Ahh, dig. What version? You have to be running the latest at all times these days...so many changes... In my experiences with v6 the problems I have come down two are: 1) Broken testing tools. (See change 1610 in the BIND CHANGES file for one.) 2) Broken route policy. (Dasterdly ISP's!) 3) Broken OS API's. (Have we learned nothing since or from Berkeley Sockets?) #1 - I've had to reevaluate everything I know about debugging since I met IPv6. Now there's an entirely alternate universe of failure to consider. One day I was sitting in RIPE NCC's offices and couldn't 'dig @ns.ripe.net'. So I walked to the ops room and asked, umm, is your big machine down. After a good laugh, we figured that my Mac was trying v6 where v6 wasn't *really* live. #2 - When I first got real live IPv6 service from a provider, I tried tracerouting to all the machines I knew about - the roots as listed on root-servers.org, the RIPE machines. I'd get about halfway there and fail. I asked for reverse traces from the other side and see failures about the same place. We had to work with ISPs to loosen route policies. #3 - I have seen all sorts of mistakes involving OS's, OS API's, and app software API's. Mapped addresses are mishandled, having more than one address to try is something apps don't deal with. (Like they've been force fed one kind of food their entire life, and now have to choose from a menu.) At NANOG last year I related my problems with ssh (choosing v6 over v4 - and me assigning the same domain name to two machines, one on a v4 net and one on a v6 net). Stupid me... The biggest problem was that one type of machine kept dropping its statically configured default v6 route. Packets would get in, but they didn't know where to go next. The machine logged all activity as good though...it didn't know. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.
Re: Problems with NS*.worldnic.com
Randy Bush [EMAIL PROTECTED] wrote: lots of folk sent email to me and not the list. most report worldnic responding with tcp 53 and not udp. would love to hear confirmation on list. can think of a number of causes, one possible, but just a stab in the dark, would be an intentional hack as a defense to a spoofed-ip attack. That's quite an interesting theory, and you may be right. However, when given the choice between incompetence and malice, I know which one my money is on. what are some names known to be hosted on worldnic? voipbuster.com's one that they've been whining about on uk.telecom. Right now, UDP DNS requests to ns25/ns26.worldnic.com for that domain are giving truncated responses and TCP calls aren't even being answered, so it's even more buggered than the last time I poked at it. -- I Adjure Thee, O Foul Demon of The Sinus, by this Leatherman Tool and this Fully Earthed 30 Amp Power Strip! Remain Thou within the Faraday Cage and Answer the Questions put to Thee, and I shall Discharge Thee that Thou mayest return from Whence Thou Camest. -- Peter da Silva
Re: Problems with NS*.worldnic.com
On Tue, 26 Apr 2005, Randy Bush wrote: lots of folk sent email to me and not the list. most report worldnic responding with tcp 53 and not udp. would love to hear confirmation on list. can think of a number of causes, one possible, but just a stab in the dark, would be an intentional hack as a defense to a spoofed-ip attack. what are some names known to be hosted on worldnic? we had problems reported with: www.calairmail.com www.holidaycardwebsite.com I did some poking around lastnight with dig and some local unix hosts that I hadn't tried this before on and got no change to tcp :( (so no truncate and returned results via UDP) though today I see: [EMAIL PROTECTED]:~$ dig www.holidaycardwebsite.com. @ns7.worldnic.com ;; Truncated, retrying in TCP mode. and failures (which is PROBABLY my silly iptables config...) [EMAIL PROTECTED]:~$ dig www.holidaycardwebsite.com. @ns8.worldnic.com ; DiG 9.2.2rc1 www.holidaycardwebsite.com. @ns8.worldnic.com ;; global options: printcmd interesting that both servers aren't doing the same thing?
Re: Problems with NS*.worldnic.com
On Tue, 26 Apr 2005, Brett Frankenberger wrote: On Tue, Apr 26, 2005 at 01:22:41PM +, Christopher L. Morrow wrote: On Tue, 26 Apr 2005, Simon Waters wrote: The worldnic.com and worldnic.net appear to use the MMDDVV convention for SOA serial numbers, and so it would appear nothing has changed their end in Interesting, I thought the worldnic.com servers were NSI's 'free hosting for domains you registered through us' servers, which would imply they get changed 'frequently' no? I think he's talking about the worldnic.com and worldnic.net zones themselves. Those wouldn't need to change unless new names were added yup, this was clarified off-list :( I'll take my pre-coffee lumps on that one :( where is that coffee pot?
CircleID, was: Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
On that note, I suggest that folks from the NANOG community get involved with CircleID. Its a great site with articles on everything from DNS and addressing issues to domain naming and ICANN. It sometimes misses the network operator perspective - a few articles or comments by some of the folks on this list would be very helpful (see Geoff and Suresh's contributions for evidence of this) Thanks, Dan On 4/25/05 9:36 PM, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: On 4/20/05, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: http://www.circleid.com/article/1045_0_1_0_C/ That's a must read article, I'd say. Followup article by Paul Wilson - http://www.circleid.com/article.php?id=1049_0_1_0_C/ The Geography of Internet Addressing
Re: Problems with NS*.worldnic.com
In message [EMAIL PROTECTED], Christ opher L. Morrow writes: On Tue, 26 Apr 2005, Randy Bush wrote: lots of folk sent email to me and not the list. most report worldnic responding with tcp 53 and not udp. would love to hear confirmation on list. can think of a number of causes, one possible, but just a stab in the dark, would be an intentional hack as a defense to a spoofed-ip attack. what are some names known to be hosted on worldnic? we had problems reported with: www.calairmail.com www.holidaycardwebsite.com I did some poking around lastnight with dig and some local unix hosts that I hadn't tried this before on and got no change to tcp :( (so no truncate and returned results via UDP) though today I see: [EMAIL PROTECTED]:~$ dig www.holidaycardwebsite.com. @ns7.worldnic.com ;; Truncated, retrying in TCP mode. and failures (which is PROBABLY my silly iptables config...) [EMAIL PROTECTED]:~$ dig www.holidaycardwebsite.com. @ns8.worldnic.com ; DiG 9.2.2rc1 www.holidaycardwebsite.com. @ns8.worldnic.com ;; global options: printcmd interesting that both servers aren't doing the same thing? Both work for me, from two different places, one of which has v6 connectivity and one of which doesn't. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
FW: Port 25 - Blacklash
For any educational institutions on this list - what has been the impact on your mail services once your ISP started blocking port 25 - what if any was the backlash - and how difficult was it to provide alternatives ...587,465 etc ... best regards, _ Paul Ryan - AS812 yahoo handle - paul_ryan_ismc _
RE: Port 25 - Blacklash
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Ryan Sent: Tuesday, April 26, 2005 11:11 AM To: Nanog Mailing list Subject: FW: Port 25 - Blacklash Importance: High For any educational institutions on this list - what has been the impact on your mail services once your ISP started blocking port 25 - what if any was the backlash - and how difficult was it to provide alternatives ...587,465 etc ... Why would an ISP block port 25 for .edu customers? The universities I'm familiar with have PI space vs PA. Comparatively, that should be the boundary to determine whether to block 25 or not, IMO. -M
Re: Problems with NS*.worldnic.com
- Original Message - From: Randy Bush [EMAIL PROTECTED] To: Christopher L. Morrow [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Tuesday, April 26, 2005 16:35 Subject: Re: Problems with NS*.worldnic.com lots of folk sent email to me and not the list. most report worldnic responding with tcp 53 and not udp. would love to hear confirmation on list. can think of a number of causes, one possible, but just a stab in the dark, would be an intentional hack as a defense to a spoofed-ip attack. That is a bind issue when receiving empty response from worldnic ns on udp queries, it asks again on tcp which is very slow. more here: http://isc.sans.org/diary.php?date=2005-04-22 what are some names known to be hosted on worldnic? randy aljuhani
using TCP53 for DNS
In the thread about ns*.worldnic.com, many people were complaining about DNS responses/queries on TCP port 53. At least one DoS mitigation box uses TCP53 to protect name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers. Is this common? Does anyone have stats on this (roots, GTLDs, other big name server farms)? Perhaps people could send what they do personally and I can summarize for this list. (Again, not a scientific sampling method, but better than trying to read into what people imply in a long, and probably not-well-read thread.) -- TTFN, patrick P.S. Sorry to post operational content, I know how everyone hates that. =)
Re: Slashdot: Providers Ignoring DNS TTL?
DA Date: Sat, 23 Apr 2005 16:13:22 -0400 (EDT) DA From: Dean Anderson DA And it violates RFC 1546, as previously explained. Who cares? You've railed against SMTP+AUTH because it's not a standard. Why do you give a rat's rump about 1546? DA Well, PPLB isn't the end of the world. But PPLB is coming, and the smart DA people will be prepared for it. They dumb people, well, they're dumb. Perhaps PPLB becomes more common. Time for SACK, lest traditional TCP do bad things. As for anycast, there's a fair chance people building anycast clusters will work around PPLB. Maybe they'll build topologies to avoid problems. Maybe they'll have behind-the-scenes unicast intelligence to deal with TCP session transfer. I'll leave it at that. This thread is getting old, and 1xRTT latency makes SSH uncomfortable. DA What can be expected from dumb people? Frequent NANOG posting. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Slashdot: Providers Ignoring DNS TTL?
Date: Sun, 24 Apr 2005 02:00:48 -0400 From: [EMAIL PROTECTED] What you seem to be missing is that the *really* smart people will be prepared for it when it actually gets here - and will take advantage of it's lack of arrival in the meantime. Na the code in my lab and the work-in-progress protocol dev printout to my right exist because I was bored and had nothing better to do, and Minesweeper bores me. Fortunately, I have discovered posting to NANOG as a worthy alternative. Networking can be hard. Let's just say all problems are insurmountable and go home. Let someone else solve the hard stuff... it's worked great for spam. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: FW: Port 25 - Blacklash
Our ISPs don't block anything, to my knowledge; but when our users' ISPs began blocking port 25 (especially SBC DSL) we had already been encouraging users to configure their clients to use 587. matto On Tue, 26 Apr 2005, Paul Ryan wrote: For any educational institutions on this list - what has been the impact on your mail services once your ISP started blocking port 25 - what if any was the backlash - and how difficult was it to provide alternatives ...587,465 etc ... [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: FW: Port 25 - Blacklash
Paul, For any educational institutions on this list - what has been the impact on your mail services once your ISP started blocking port 25 - what if any was the backlash - and how difficult was it to provide alternatives ...587,465 etc ... Our ISPs don't filter our traffic. If they consistently did, they probably wouldn't be our ISPs for long. OTOH, the question that you didn't ask was if educational institutions themselves are blocking port 25 from their users :) In our case, yes we are. We only allow SMTP connections from our dorm subnets to the campus mail servers. Personally, I thought there was going to be a huge backlash from our community when we put this in about a year ago. Of the 12,000 students that this affected, I believe two have inquired about it but didn't really have an issue with it. Eric :)
Re: Port 25 - Blacklash
The fact that most people did not complain is not likely due to the fact that they were not annoyed by the change, but rather it's easier to simply get around it than it is to bother complaining to network admins. For example, about 2 months ago, comcast decided to block outgoing port 25 from my entire neighborhood. I called comcast, and while sitting on hold I had the idea to setup a ssh tunnel to a machine at work and viola problem solved before anyone from comcast even answered the phone. Adam On Apr 26, 2005, at 2:03 PM, Eric Gauthier wrote: Paul, For any educational institutions on this list - what has been the impact on your mail services once your ISP started blocking port 25 - what if any was the backlash - and how difficult was it to provide alternatives ... 587,465 etc ... Our ISPs don't filter our traffic. If they consistently did, they probably wouldn't be our ISPs for long. OTOH, the question that you didn't ask was if educational institutions themselves are blocking port 25 from their users :) In our case, yes we are. We only allow SMTP connections from our dorm subnets to the campus mail servers. Personally, I thought there was going to be a huge backlash from our community when we put this in about a year ago. Of the 12,000 students that this affected, I believe two have inquired about it but didn't really have an issue with it. Eric :) !DSPAM:426e832d147596632912183!
RE: Port 25 - Blacklash
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Adam Jacob Muller Sent: Tuesday, April 26, 2005 2:18 PM To: Eric Gauthier Cc: Paul Ryan; Nanog Mailing list Subject: Re: Port 25 - Blacklash The fact that most people did not complain is not likely due to the fact that they were not annoyed by the change, but rather it's easier to simply get around it than it is to bother complaining to network admins. For example, about 2 months ago, comcast decided to block outgoing port 25 from my entire neighborhood. I called comcast, and while sitting on hold I had the idea to setup a ssh tunnel to a machine at work and viola problem solved before anyone from comcast even answered the phone. And comcast will happily allow this to be your employers problem i.e. owned, infected, or spamming. Paul was asking about ILG's and the political backlash of blocking off-campus port 25 where the ILG is using an ISP other than their school. (thanks SD, EG, MG, DD) -M
Anyone from Verizon familiar with physical plant in PHL
If, by a fluke of nature, there is a person from Verizon or someone who knows a person from Verizon that can answer a question Where does this line go? in a former Bell Atlantic plant in Philadelphia, I would really appreciate an off-list email. Thanks, Alex
Re: using TCP53 for DNS
* Patrick W. Gilmore: At least one DoS mitigation box uses TCP53 to protect name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers. To their name servers? I think you mean from their caching resolvers to 53/TCP on other hosts. Is this common? Hopefully not. Resolvers MUST be able to make TCP connections to other name servers. Does anyone have stats on this (roots, GTLDs, other big name server farms)? What kind of stats? I might be able to provide some statistics about TC flag usage, but I doubt that this data is interesting.
Re: Port 25 - Blacklash
* Martin Hannigan: Why would an ISP block port 25 for .edu customers? BelWue does this: http://www.belwue.de/security/tcp25.html
Re: using TCP53 for DNS
On Tue, 26 Apr 2005, Florian Weimer wrote: * Patrick W. Gilmore: At least one DoS mitigation box uses TCP53 to protect name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers. To their name servers? I think you mean from their caching resolvers to 53/TCP on other hosts. its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries. Obviously this is from before bind8+'s capability to acl. Even after I imagine that folks left the filters in place either 'because' or 'I don't run router acls' or 'laziness' Is this common? Hopefully not. Resolvers MUST be able to make TCP connections to other name servers. It seems that what might be more common is resolver code not handling the truncate request properly :( That seemed to be the majority of the problems last time we ran into this problem :( -Chris
Re: using TCP53 for DNS
On Apr 26, 2005, at 2:45 PM, Florian Weimer wrote: * Patrick W. Gilmore: At least one DoS mitigation box uses TCP53 to protect name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers. To their name servers? I think you mean from their caching resolvers to 53/TCP on other hosts. Either. Both. Is this common? Hopefully not. Resolvers MUST be able to make TCP connections to other name servers. I hope not as well, but people have posted here that they are doing so. Which is why I am asking. :-) Does anyone have stats on this (roots, GTLDs, other big name server farms)? What kind of stats? I might be able to provide some statistics about TC flag usage, but I doubt that this data is interesting. I am interested in how many name servers - caching or authoritative - are filtering incoming and/or outgoing TCP port 53. _Personally_ I am most interested in what percentage of caching name servers are incapable (either because of filters, software limitations, or any other reason) of making TCP queries. More generally, I am interested in how many name servers are filtering TCP53 in any direction. -- TTFN, patrick
Re: using TCP53 for DNS
* Christopher L. Morrow: its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries. Ugh. And they didn't think something like permit tcp any any eq 53 established was necessary? Hopefully not. Resolvers MUST be able to make TCP connections to other name servers. It seems that what might be more common is resolver code not handling the truncate request properly :( Caching resolvers or stub resolvers? Caching resolvers would be quite surprising, but you never know. Certainly, there are some applications which cannot cope with large RR sets (qmail comes to my mind).
The not long discussion thread....
I posted to NANOG: Jerry Pasker [EMAIL PROTECTED] wrote: fine. (after a few tries) I'm using BIND 9.2.4 without the eye pee vee six stuff compiled in. Because I don't want to start something; No discussion about me blocking port 53, ok? I got tired of gobs of log files of script kiddies trying to download my domains 5 years ago... Steve Sobol replied with: I'm not going to enter into a long discussion with you. :) I'm just curious why you didn't restrict AXFR to certain IPs instead. And I'm posting back to NANOG: I did. And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for everyone else. And I did this to ALL my DNS servers. I was getting DoSed one day, somewhere in the whereabouts of about 2001, and put in the ACLs, immediately expecting it to break things. (truncated responses needing TCP and/or other things that I didn't foresee). Much to my dismay, it broke nothing. Despite me looking for problems, and asking and pleading my techies to find trouble tickets related to this issue, it didn't happen. I revisited the issue periodically. Every time there was an unexplained DNS issue, I would think it must be the port 53 block!but alas, I was disappointed each and every time. I've removed and added the ACLs countless times over the years trouble shooting various DNS issues, but this is the first time that removing them actually solved anything. See, I *WANTED* there to be a problem in blocking port 53, I *BELIEVED* all the talk that it would cause problems, but that problem never showed up. Over the years, eventually I just slowly arrived at the conclusion that all the talk were from people who talked, not from people who were brave enough to try it in a production environment. 4 years later, I was proved inconclusive: Blocking port 53 does break things to servers that are already (apparently?) broken. -Jerry
Internet2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Just wondering how's internet2 community/partners protecting themselves from lawsuits of illegal use of music/movie downloads. In general, how are they protecting themselves from malicious code infection spreading at internet2 speed? How are the devices coping up with filters in place, if any? Like to hear what nanog community and the people who are involved w/ internet2 connectivity think. Any insight and /or pointers to any papers will be appreciated. regards, /vicky -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCbp19pbZvCIJx1bcRApbRAKCNWtZP/f+5TPwzB0gkU7tLmgpq9gCgiR+H bsR8d1Ai9zWFnUQeXPPB7fs= =ebza -END PGP SIGNATURE-
Re: Port 25 - Blacklash
On Tue, 26 Apr 2005 21:49:24 +0300, Hank Nussbacher said: On Tue, 26 Apr 2005, Adam Jacob Muller wrote: Doesn't seem to be stemming the tide of emails from Comcast though: http://www.senderbase.org/?searchBy=organizationsearchString=Comcast%20Cable I'm not arguing about Comcast still spewing - they obviously still have issues in that arena... *However*... I'd take those numbers with at least a grain of salt, given that they're showing my laptop as having an average magnitude of 4.6 (3.1 for today), and our Listserv server an average magnitude of 4.8 (4.6 for today), saying that long-run my laptop is generating almost as much mail as our Listserv box. And that's not including the e-mail I post while my laptop is at other addresses. I'll overlook the fact that my laptop has sent a whole whopping 16 pieces of mail since midnight, and our Listserv has sent at *least* 40,000. Why the discrepancy? Because when I post to a list like NANOG or a SecurityFocus list or Linux-Kernel, it gets counted multiple times, once for each recipient sampled by SenderBase And for extra fun, it appears that it counts *every* machine in the Received: headers, as trapdoor.merit.edu scores a 5.3, segue.merit.edu a 4.3, and testbed9.merit.edu a 4.0. Meanwhile, mail.merit.edu gets a 0.0, because it's not showing up in the Received: lines for NANOG postings, most likely... The fact that I can from a laptop with a little posting to a few large lists rank higher than all but 53 of AOL's 2,553 listed sources should indicate that perhaps those numbers aren't quite as useful as they appear. Comcast.net has 31,923 addresses listed at the moment. Do they have 30,000 zombies, or 30,000 customers that post to popular mailing lists? Quite possibly at least partly the latter, as 24.22.118.199 ranks a 3.0 and isn't (as far as I know) a spam zombie, but a frequent poster to the linux-kernel list. Meanwhile, of those 31,923, only 1,969 have a monthly magnitude of 4.7 or more, the 4.8 cutoff is at 1,567, and the last 4.9 is at 1,012. And that 4.9 is (roughly) twice as much as I generate... OK.. Think about that - of the 30,000+ listed, only 1,000 or so have measured e-mail volumes significantly higher than one guy who posts a lot. Obviously, either my laptop is infested with a spam-spewing AI zombie (which *has* been alledged before), or the SenderBase numbers don't tell the whole story Another indication: from the message I'm replying to: Received: from efes.iucc.ac.il (efes.iucc.ac.il [128.139.202.17]) by testbed9.merit.edu (Postfix) with ESMTP id 41125186B for nanog@merit.edu; From: Hank Nussbacher [EMAIL PROTECTED] http://www.senderbase.org/search?searchString=128.139.202.17 Hmm.. the IP ranks a 2.5 for the last 30 days, but: No address list shown since no email was detected from iucc.ac.il. http://www.senderbase.org/search?searchString=mail.iucc.ac.il gets a last 30 days of 0.0. Ooooh Ky.. maybe we need more than just a pinch of salt here... ;) pgpDQpPiAXvbf.pgp Description: PGP signature
Re: Internet2
On Tue, 26 Apr 2005, Vicky Rode wrote: In general, how are they protecting themselves from malicious code infection spreading at internet2 speed? How are the devices coping up with filters in place, if any? What is internet2 speed? As far as I can see Internet2 is a 10G based national network. What is so special about that in this day and age? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Internet2
On Tue, 26 Apr 2005, Mikael Abrahamsson wrote: What is internet2 speed? As far as I can see Internet2 is a 10G based national network. What is so special about that in this day and age? I think the difference is the average connection speeds of the end users of the network. It's not at all uncommon today for a provider with a 10G+ backbone to have 100Mbs or less average connection speed, whereas I2 end users are often on campus networks at gig-E or faster. So the speeds mentioned are the realized speeds in p2p and malware spreading applications, or at least that is my assumption based on the original poster's question.
Re: Internet2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I made that up :-) Basically I meant to say not congested as the current Internet is. regards, /vicky Mikael Abrahamsson wrote: | On Tue, 26 Apr 2005, Vicky Rode wrote: | | |In general, how are they protecting themselves from malicious code |infection spreading at internet2 speed? How are the devices coping up |with filters in place, if any? | | | What is internet2 speed? As far as I can see Internet2 is a 10G based | national network. What is so special about that in this day and age? | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCbq2DpbZvCIJx1bcRAgOjAKCuprmc0AVDET7d7qokD+3IlrScngCg22Pj vV0ZVZS8egBkpmIprN3h9f4= =9zJe -END PGP SIGNATURE-
Re: Port 25 - Blacklash
[In the message entitled Re: Port 25 - Blacklash on Apr 26, 16:30, [EMAIL PROTECTED] writes:] Comcast.net has 31,923 addresses listed at the moment. Do they have 30,000 zombies, or 30,000 customers that post to popular mailing lists? Quite possibly at least partly the latter, as 24.22.118.199 ranks a 3.0 and isn't (as far as I know) a spam zombie, but a frequent poster to the linux-kernel list. Meanwhile, of those 31,923, only 1,969 have a monthly magnitude of 4.7 or more, the 4.8 cutoff is at 1,567, and the last 4.9 is at 1,012. And that 4.9 is (roughly) twice as much as I generate... They have approximately 40,000 zombies (as mesured over all of their ASNs, from 01-JAN to yesterday). Total 277646 7207 1731415 36396 --
Re: using TCP53 for DNS
On Tue, 26 Apr 2005, Florian Weimer wrote: * Christopher L. Morrow: its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries. Ugh. And they didn't think something like permit tcp any any eq 53 established was necessary? that only helps for outbound from the server :( not: Hey, this response is going to be too big, come back on TCP! :( Hopefully not. Resolvers MUST be able to make TCP connections to other name servers. It seems that what might be more common is resolver code not handling the truncate request properly :( Caching resolvers or stub resolvers? Caching resolvers would be quite surprising, but you never know. I've seen Windows DNS servers misbehave in this way as well as some firewalls performing DNS cache/proxy for clients internal to enterprises... (the ms boxen doing it was cache servers of course) Certainly, there are some applications which cannot cope with large RR sets (qmail comes to my mind). oh, that has to suck for email delivery, eh? :(
Re: Internet2
On Tue, Apr 26, 2005 at 02:07:15PM -0700, Vicky Rode wrote: Basically I meant to say not congested as the current Internet is. It is? Regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0
Re: Internet2
Basically I meant to say not congested as the current Internet is. cool. and your measurements of internet congestion are? cites, please. randy
Re: Internet2
On Tue, 26 Apr 2005, Vicky Rode wrote: Basically I meant to say not congested as the current Internet is. If your ISP has congested links you should complain and switch if not fixed promptly. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Internet2
On Apr 26, 2005, at 5:17 PM, Daniel Roesen wrote: On Tue, Apr 26, 2005 at 02:07:15PM -0700, Vicky Rode wrote: Basically I meant to say not congested as the current Internet is. It is? Parts. Other parts have better connectivity than I2 nodes. You can't really say anything about the _entire_ Internet. -- TTFN, patrick
Re: Internet2
On Tue, Apr 26, 2005 at 11:18:08PM +0200, Mikael Abrahamsson wrote: On Tue, 26 Apr 2005, Vicky Rode wrote: Basically I meant to say not congested as the current Internet is. If your ISP has congested links you should complain and switch if not fixed promptly. WTF.. She asked a simple question and five people are slamming her for no apparent reason. --Adam
Re: Port 25 - Blacklash
On Tue, 26 Apr 2005 14:10:33 PDT, Dave Rand said: [In the message entitled Re: Port 25 - Blacklash on Apr 26, 16:30, Valdis.K [EMAIL PROTECTED] writes:] Comcast.net has 31,923 addresses listed at the moment. They have approximately 40,000 zombies (as mesured over all of their ASNs, from 01-JAN to yesterday). Oh, I *started off* by saying that Comcast had a spewage problem. My point was that you can't use SenderBase to draw conclusions from, without doing a lot of cross-checking of the data against other sources... pgpop1urzKAof.pgp Description: PGP signature
Re: Port 25 - Blacklash
Do all of Comcast's markets block port 25? Is there a correlation between spam volume and the ones that do (or don't)? In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ - Dan On 4/26/05 2:49 PM, Hank Nussbacher [EMAIL PROTECTED] wrote: On Tue, 26 Apr 2005, Adam Jacob Muller wrote: Doesn't seem to be stemming the tide of emails from Comcast though: http://www.senderbase.org/?searchBy=organizationsearchString=Comcast%20Cable -Hank For example, about 2 months ago, comcast decided to block outgoing port 25 from my entire neighborhood. I called comcast, and while sitting on hold I had the idea to setup a ssh tunnel to a machine at work and viola problem solved before anyone from comcast even answered the phone.
Re: Port 25 - Blacklash
[In the message entitled Re: Port 25 - Blacklash on Apr 26, 17:50, Daniel Golding writes:] Do all of Comcast's markets block port 25? Is there a correlation between spam volume and the ones that do (or don't)? No. Yes. The ones that don't block port 25 emit more spam than the ones that do. In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ Correct. And/or rate limiting, by understanding which customers are using which IP addresses (more or less tying the networking infrastructure to the email infrastructure, which is something that many ISP are not yet doing). --
Re: Internet2
On Tue, 26 Apr 2005, Vicky Rode wrote: Just wondering how's internet2 community/partners protecting themselves from lawsuits of illegal use of music/movie downloads. In general, how are they protecting themselves from malicious code infection spreading at internet2 speed? How are the devices coping up with filters in place, if any? Like to hear what nanog community and the people who are involved w/ internet2 connectivity think. I don't differentiate between my Internet2 connectivity my other connectivity regarding network abuse issues. Each is a conduit for good bad stuff, each has a NOC when I need it. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: [EMAIL PROTECTED], phone: 319-335-, fax: 319-335-2951
Sheet could shelter Wi-Fi from eavesdroppers
Well, occasionally something really cool comes along, and you just gotta share it. :-) This is semi-operational, so http://news.com.com/Sheet+could+shelter+Wi-Fi+from+eavesdroppers/2100-1029_3-5685431.html ..there. :-) - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Internet2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 since you deviated from my original post... http://www.icir.org/floyd/ccmeasure.html regards, /vicky Daniel Roesen wrote: | On Tue, Apr 26, 2005 at 02:07:15PM -0700, Vicky Rode wrote: | |Basically I meant to say not congested as the current Internet is. | | | It is? | | | Regards, | Daniel | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCbtTopbZvCIJx1bcRAhoYAKDbWlRfn24TrCf1qiL4onXZDZSoSwCgqkEN NxQzrae8KtOS60CQDPyJKEA= =g+6Y -END PGP SIGNATURE-
NPR program: The Internet as a public utility
NPR program: The Internet as a public utility Talking heads (audio only) http://www.npr.org/templates/story/story.php?storyId=4618769 A worthy listen, imo, focused primarily on municipal wireless nets. With thanks to Tom Hertz of Fiber utilities of Iowa who posted to the Cook Report discussion list. --- Frank A. Coluccio DTI Consulting Inc. New York
Re: The not long discussion thread....
Jerry Pasker wrote: Steve Sobol replied with: I'm not going to enter into a long discussion with you. :) I'm just curious why you didn't restrict AXFR to certain IPs instead. And I'm posting back to NANOG: I did. And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for everyone else. And I did this to ALL my DNS servers. What were the router ACLs doing that the DNS server ACLs weren't/couldn't? -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
FCC Chief Wants 911 Service for Internet Phones
Prepare for the inevitable. http://news.yahoo.com/news?tmpl=storyu=/nm/20050426/wr_nm/telecoms_voip_911_dc - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: The not long discussion thread....
On Tue, 26 Apr 2005, Steve Sobol wrote: Jerry Pasker wrote: Steve Sobol replied with: I'm not going to enter into a long discussion with you. :) I'm just curious why you didn't restrict AXFR to certain IPs instead. And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for everyone else. And I did this to ALL my DNS servers. What were the router ACLs doing that the DNS server ACLs weren't/couldn't? This, it seems, was an unfortunate side effect (as I pointed out earlier) of legacy software and legacy config... if I had to guess.
Schneier: ISPs should bear security burden
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 ...and, of course, here: http://fergdawg.blogspot.com/2005/04/schneier-isps-should-bear-security.html Off list, if you'd like. Or not. - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
On 4/27/05, Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. He's right. ISPs owe it to their users, if not to the rest of the Internet community, to do this. A lot of it is also part of the MAAWG bcps on spam (though the BCPs, when implemented, will do a lot more good than just cut down on spam) -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was vague. Security could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called managed services. ISPs do this type of thing all the time. And customers pay for it. Maybe he means broadband home users. News flash... home users will get it wherever it's cheap. And cheap means no managed services. To the author of the article: Should ISPs be *REQUIRED* to do it? Just try it and see what happens try to pass a law and regulate the internet, I dare you... :-) (I double-dog-dare you to get the law makers to understand it first!) Every security appliance ven-duh on the planet would be in there, trying to have laws written that would require the use of their own proprietary solutions to the problem. (and the proposed problem would differ depending upon the solutions that the particular ven-duh offered) Wait a second... this article was FROM security ven-duhs... all offering solutions to these problems...uh-oh this is probably their first move in getting a law. step 1) cause a public outcry... so it's starting already. I think we've all seen this act before. Some days, the world really annoys me. :-( -Jerry
Re: Schneier: ISPs should bear security burden
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones. When Mr. Schneier gets that level of service from his phone company, then, perhaps he can expect the same from his ISP. The worst part of that article is that it only quotes people with a vested interest in sellling service-provider based solutions to end-host based problems. So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Owen --On Wednesday, April 27, 2005 3:09 + Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 ...and, of course, here: http://fergdawg.blogspot.com/2005/04/schneier-isps-should-bear-security.h tml Off list, if you'd like. Or not. - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/ -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgpssRhxfQuuS.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
Oh, come on Jerry, you're beginning to sound like part of the problem. Stop being a knee-jerking crumudgeon for a moment and thhink about what Schneier is _really_ saying. Being vague, and obfuscating the issue with vague answers doesn't do due diligence. - ferg Jerry Pasker [EMAIL PROTECTED] wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was vague. Security could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called managed services. ISPs do this type of thing all the time. And customers pay for it. Maybe he means broadband home users. News flash... home users will get it wherever it's cheap. And cheap means no managed services. To the author of the article: Should ISPs be *REQUIRED* to do it? Just try it and see what happens try to pass a law and regulate the internet, I dare you... :-) (I double-dog-dare you to get the law makers to understand it first!) Every security appliance ven-duh on the planet would be in there, trying to have laws written that would require the use of their own proprietary solutions to the problem. (and the proposed problem would differ depending upon the solutions that the particular ven-duh offered) Wait a second... this article was FROM security ven-duhs... all offering solutions to these problems...uh-oh this is probably their first move in getting a law. step 1) cause a public outcry... so it's starting already. I think we've all seen this act before. Some days, the world really annoys me. :-( -Jerry -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
Why do ISPs owe this to their customers. I expect my ISP to deliver packets sent to me, and, to pass along packets I send out. That is the sum total of what I expect from my ISP, and, it's what my contract says is supposed to happen. Where does this belief that when user A at company Y sends a packet full of garbage to user B ad company Z the ISP at either end is responsible for the contents of the packet? That's like making the phone company responsible for the content of a conversation or saying that Safeway distribution is responsible for the content of Arrowhead spring water bottles that reach Safeway stores. Owen --On Wednesday, April 27, 2005 8:54 +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: On 4/27/05, Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. He's right. ISPs owe it to their users, if not to the rest of the Internet community, to do this. A lot of it is also part of the MAAWG bcps on spam (though the BCPs, when implemented, will do a lot more good than just cut down on spam) -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgpgYzZRAheB7.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
Oh, please. If you think that the Internet should remain an every man for himself, wild wild west, Ok Corral, situation (not my words, mind you), then you better get with the powers that will steam-roll all of us if we let it -- money and marketing. This ain't no science project anymore. Bruce is right -- right as rain -- I don't give two damns whether you think it is an issue of marketing, or protecive self-advertising. The issue is that the _consumers_ want it, that's what they'll pay for, and it is the ISP's perogative to either honor that wish, or lose the business. We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. Sound about right? - ferg Owen DeLong [EMAIL PROTECTED] writes: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/