Worldnic does TCP-before-UDP DNS tricks, breaking powerdns recursor and those w/o TCP connectivity
Hi Nanog people, The PowerDNS recursor has hit a snag resolving www.kde-look.org. It appears Worldnic has implemented 'TCP-before-UDP' on ns{9,10}.worldnic.com, whereby it sends out answers with the truncated bit set, and without an actual answer. Once the client has re-asked the query over TCP, it from then on allows UDP queries. This is possibly done to prevent DoS attacks. This hits those people who've been running the pdns recursor w/o heeding the warning on http://doc.powerdns.com/built-in-recursor.html stating our inadequacies regarding truncated packets. But is also hits everybody who only allows UDP port 53, which generally works fine, except now! Recall the AOL huge packet event from way back. So make sure your resolvers have TCP connectivity! And yes, my message may read a bit like djb's back in the time AOL started to use > 512 byte packets :-) The problem is solved in SVN luckily. Apologies. But just a heads up that if you suddenly have non-working Worldnic domains, you now know two possible causes. A quick solution for PowerDNS recursor users is to run 'dig www.kde-look.org @ns9.worldnic.com' periodically. Or upgrade to the SVN snapshot mentioned below, but do note that it is experimental. Wiki: http://wiki.powerdns.com/projects/trac/ Message: http://mailman.powerdns.com/pipermail/pdns-users/2005-July/002414.html SVN snapshot solving the problem: http://ds9a.nl/pdns/pdns-2.9.18-svn.tar.gz -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services
Re: Above.net problems ??
On Wed, Nov 26, 2003 at 11:31:32AM -0700, Duane Wessels wrote: > In my simulations with 100% packet loss, DNS caches running BIND8, > dnscache, W2000, and W2003 all amplified the user's query rates. > Only BIND9 attenuated. pdns_recursor also throttles queries, see http://doc.powerdns.com/x2025.html -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: VeriSign SMTP reject server updated
On Sat, Sep 20, 2003 at 02:16:34PM -0400, Dave Stewart wrote: > >implementation using Postfix that should address many of the concerns > >we've heard. Like snubby, this server rejects any mail sent to it (by > >returning 550 in response to any number of RCPT TO commands). > > ICANN has requested that Verisign remove the wildcards in .com and > .net. So what you're basically saying here is: that ain't gonna > happen. Correct? Please don't try to force the benevolent techie into making further policy statements - I think Matt is doing us enough of a favour already by keeping us into the loop to the extent he can. Don't try to bait him. Thanks. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: Root Server Operators (Re: What *are* they smoking?)
On Wed, Sep 17, 2003 at 03:35:31PM +0200, Stefan Baltus wrote: > On Wed, Sep 17, 2003 at 09:27:13AM -0400, Todd Vierling wrote: > > On Wed, 17 Sep 2003, Paul Vixie wrote: > > : > Anyone have a magic named.conf incantation to counter the verisign > > : > braindamage? > > : zone "com" { type delegation-only; }; > > : zone "net" { type delegation-only; }; > > My first reaction to this was: 'yuck'. I'm not sure of the > side-effects this will introduce. Anyone? The only thing I am slightly worried about is setups that currently "work" because they rely on glue. Nothing is to stop someone from doing: yourdomain.com IN NS www.yourdomain.com. yourdomain.com IN NS yourdomain.com. www.yourdomain.com IN A 1.2.3.4 yourdomain.com IN A 1.2.3.4 And not run a nameserver at all and completely rely on glue. Something like this can be seen on www.airow.com: $ dig www.airow.com @a.gtld-servers.net ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24292 ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.airow.com. IN A ;; ANSWER SECTION: www.airow.com. 172800 IN A 66.82.206.10 Note the lack of 'aa' bit - but I wonder how many resolvers were accepting this answer. I know pdns_recursor does, it trusts glue to be right. In this case, if we actually bother to ask the nameserver www.airow.com for the IP address of www.airow.com, we don't get an answer. If we ask the other listed nameserver for airow.com (ns1.rfwwp.com), we get a different IP address, 208.191.129.189. Different recursors that are publically (130.161.180.1, 195.96.96.97) available appear to return the first address when currently queried for www.airow.com, so they trust the glue too. After delegation-only, they will start to return 208.191.129.189. Which is probably an improvement, but a change no less. So I'm unsure about ISC's approach. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: Root Server Operators (Re: What *are* they smoking?)
On Wed, Sep 17, 2003 at 05:13:45AM +, Paul Vixie wrote: > therefore i believe that while they may have to change the A RR from time to > time according to their transit contracts, verisign won't insert an NS RR > into the sitefinder redirection. if they do, and if bind's user community > still wants to avoid sitefinder, they can declare the second server "bogus", > with no new code changes from isc. but that all seems terribly unlikely. I for one expect a small arms race over this - I'm not implementing the end-all solution quite yet as I expect some further moves by VRSN. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: Not the best solution, but it takes VeriSign out of the loop
On Tue, Sep 16, 2003 at 11:07:41AM -0700, Mike Damm wrote: > > > Who's up for creating a network of new gTLD servers? I'm sure it wouldn't be > too hard to reconstruct 90% of the com/net zones from publicly available > data (http://www.deleteddomains.com/newlist.shtml?cid=11673-11084 would be a > good start). Constantly farming for missed zones, and maybe even querying > the "real" servers for missing data. The updates would be a day or two > behind the "real" zones, but once you got a good number of eyeballs looking > to your servers instead of VeriSign's, you could probably convince quite a > few registrars to start sending you updates too. You can download the real zones if you want easily enough. Some years ago all this took was sending a few faxes. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: Verisign Countermeasures - BIND and djbdns patches
On Tue, Sep 16, 2003 at 04:04:07PM +0100, Adam Langley wrote: > > On Tue, Sep 16, 2003 at 04:03:08PM +0100, Adam Langley wrote: > I'm collecting countermeasures to the verisign wildcard DNS records > at http://www.imperialviolet.org/dnsfix.html. Currently there are > patches for BIND 9.2.2 and djbdns (not authored by myself) and a > Linux userland/netfilter program that rewrites DNS packets (which is). Very early patch for pdns_recursor (GPL & everything) below. I'll work up something more permanent, perhaps tonight. Index: syncres.cc === RCS file: /var/cvsroot/pdns/pdns/syncres.cc,v retrieving revision 1.22 diff -u -B -b -r1.22 syncres.cc --- syncres.cc 16 Sep 2003 10:52:12 - 1.22 +++ syncres.cc 16 Sep 2003 11:08:16 - @@ -412,6 +412,11 @@ } // for ANY answers we *must* have an authoritive answer else if(i->d_place==DNSResourceRecord::ANSWER && toLower(i->qname)==toLower(qname) && (i->qtype==qtype || ( qtype==QType(QType::ANY) && aabit))) { + if(qtype.getCode()==QType::A && i->content=="64.94.110.11") { + done=false; + d_lwr.d_rcode=RCode::NXDomain; + break; + } LOG
PowerDNS open source since 25th of November
I humbly & grovelingly like to point out here that PowerDNS, the database (and ldap, perl, 'pipe' and bind zonefile) driven nameserver is open source. I think it may be useful for many operators here, especially as PDNS is well suited for 'BGP DNS' trickery. It is GPL licensed and is BIND compatible for the majority of authoritative setups. Many do not know this yet, probably in part due to the helpful moderators of comp.protocols.dns.bind, the DNS operators newsgroup on usenet, who drop messages about PowerDNS. BIND compatible means that you can point PDNS at your named.conf and have a working nameserver. It goes beyond BIND in adding cool commands such as 'pdns_control bind-list-rejects' that list all rejected zones, and the reason for their rejection, and at which time this happened. 'bind-domain-status' is the command that can tell you at which point in time all (or specific) zones were loaded, or a specific zone. 'bind-reload-now' tells PowerDNS to reload a zone from disk NOW. BIND mode is fast too, a Dutch ISP tested it with 56000 zones, some of which with 100.000 records, and it launched in 75 seconds on commodity hardware. Notably, PowerDNS answers questions while loading zones! It only answers about those zones that have been loaded, however. In database mode (PostgreSQL, MySQL, Oracle, DB2, ODBC) or in table mode ('XDB' -> tridge DB, dbm, berkely db2) or in LDAP mode, there is no startup time to speak of. In that case, the tool 'zone2sql' is provided to help with migration, which you can simply point at your named.conf. Other cool features, which are non-bin-dmode specific, include 'retrieve', which causes PDNS to retrieve a domain from its master *immediately*. Conversely, 'notify' causes PDNS to send out an immediate notification, whether PDNS considers the domain changed or not. 'notify-host' can be used to send a notification to a specific IP address, whether it is a master or not. The pipe-backend allows a coprocess (which accepts questions on stdin and provides answers on stdout) written in any language to do dynamic resolution, which is great for failover, loadbalancing or BGP DNS style tricks. See http://doc.powerdns.com/pipebackend-dynamic-resolution.html I invite you to check out http://doc.powerdns.com and http://www.powerdns.com/downloads and http://www.powerdns.org. Sample BIND-compatible pdns.conf is: launch=bind bind-config=/etc/bind/named.conf master slave Thanks. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO http://netherlabs.nl Consulting
Re: COM/NET informational message
On Fri, Jan 03, 2003 at 12:26:05PM -0800, just me wrote: > Am I the only one that finds this perversion of the DNS protocol > abhorrent and scary? This is straight up hijacking. I find Microsoft blatantly sending out UTF-8 and 'another local encoding' to nameservers interesting too. The real question is why they don't move to the proposed 7-bit clean mappings themselves. Microsoft are supposed to have quite warm relations with Verisign, even after the certificate spat. Wrt to the stunt that Verisign has employed today, well, they are in this thing to make money, we all know that, and it isn't that bad. They capture wrong queries and fix them up so they can sell more domains. Sure, it looks suspicous and like something that should've been discussed more (I really like announcements about something that will happen on January 3rd on January 3rd). But downright evil? Any query with a >127 character in it is bogus after all. Furthermore, it is a query for '.COM' which they host anyhow. It's not like this is about queries that would otherwise have not ended up at them. No new.net-style tricks. Evil would've been to just start selling UTF-8 domains and force flag day upon the nameserver and mailserver world. Reiterating, the real issue is that this needs a plugin. What happens in that plugin is also very interesting. I suspect source isn't available, who knows what is going on in there. Potentially, the i-Nav plugin hands Verisign the keys of the internet, or at least the keys of Internet Explorer, which is a slightly different thing. Regards, bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO http://netherlabs.nl Consulting
Re: COM/NET informational message
On Fri, Jan 03, 2003 at 07:15:43PM +, E.B. Dreger wrote: > Yes, comparisons are case-insensitive. So what? strcasecmp() > works on ASCII strings. Now it must work on . > Why not let be UTF-8, something programmers > should support already? Maybe MS-style Unicode encoding? Why > add yet another encoding?! Even the current MS encoding does not work. Check out 130.161.180.1, which I think runs VMS. It does not even pass >127 characters to the root-servers. It is the nameserver for a /16. dig www.abcþ.com A @130.161.180.1 <- www.abc\xfe.com > I fear I may be straying OT, for this is layers 6/7... Hoping for all nameservers to magically break RFC compliance because you think a 'properly coded nameserver' should behave is naive to say the least. PowerDNS may well lowercase your query using functions not guaranteed to do anything useful on >127 characters. Perhaps they are being helpful and change capital-U-umlaut to lowercase-U-umlaut. Who knows. Regards, bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO http://netherlabs.nl Consulting
Re: Dutch translation needed
On Wed, Jan 01, 2003 at 05:32:36PM -0700, James-lists wrote: > > I am not getting through to speed.planet.nl in English, can anyone give > me > a decent translation of in Dutch (The Netherlands): Everybody here speaks English. If they are ignoring you, they will ignore you in Dutch too. Regards, bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO http://netherlabs.nl Consulting
Re: proposed government regulation of .za namespace
On Sat, May 25, 2002 at 09:04:40AM -0700, Randy Bush wrote: > > > ISC has had very little in the way of problems as a .ZA slave > > its the ac.za and co.za messes Try registering a domain with co.za if any of your nameservers sits on an RFC2317 classlessly delegated reverse, and where your nameserver does not recurse. They have a script that checks if YOUR nameserver knows about ITS ip address and they query for the 1:1 in.addr-arpa mapping. If your nameserver does not provide an answer they like, they are unable to let registration go through. Our nameservers reply with a SERVFAIL as they are not authoritative for their 1:1 in.addr-arpa mapping and only know about the RFC2317 indirected one. I argued about this with them *at length* and they kept inventing more reasons why I was breaking RFC compliance. They even told me they couldn't accept my nameservers as these would 'waste bandwidth' which was 'terriby expensive' in South Africa. It probably is, but that has nothing to do with my nameservers and their reverse delegation! In the end sanity more or less broke out and one of them stated that they were very busy with legislation &c and unable to change a script that was only causing problems for me and for nobody else. Now I doubt the last part, but I can understand them being undermanned. And then we gave it up. Good luck to them all. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: Selective DNS replies
On Wed, Apr 24, 2002 at 08:55:15PM +0100, Avleen Vig wrote: > > This subject has probably been talked to death, so I apologise in advance > for bringing it up! > > Is there any DNS server currently availible that can reply to DNS lookups > based on the source IP address? http://www.powerdns.com/pdns and especially http://doc.powerdns.com/a1405.html#PIPEBACKEND and http://doc.powerdns.com/backend-writers-guide.html But beware, it is not free, not as in beer and not as in speech! Free for not-for-profit use though. The pipebackend will let you do this in perl or in python or whatever. You could also code more complete backends in C++ using the third URL. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
connections to SOA mname?
On Fri, Apr 19, 2002 at 06:32:58PM -0700, Simon Higgs wrote: > SOAs with bogus.domain.names pointing to 127.0.0.1 appear to be causing > email to bounce (amongst other things). Is there something out there I wouldn't know how that could happen. However, we see *very* sporadic http connections the mname of a popular zone (iex.nl) and even have one report of somebody seeing a page hosted on its mname when trying to visit iex.nl. But we're very unsure why this is happening. It looks like some kind of fallback 'if there is no A record for what I'm looking for, try the mname of the SOA of the zone' perhaps? It has been too sporadic to investigate properly. Regards, bert hubert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: is your host or dhcp server sending dns dynamic updates for rfc1918?
On Fri, Apr 19, 2002 at 10:06:19AM -0700, Randy Bush wrote: > > according to our border flow stats, not all of them get nat'd on the way > > here. > > we already knew nats were broken. > > but i still believe that win2k behind nats probably explain most of the > data behind the updates for 1918 space from non-1918 ip source addresses. We find that updates in the forward zones are a great way of tracking laptops, btw, as nobody ever changes the 'domain' or whatever it is called in Windows. So you see these updates coming in from everywhere the laptop goes. Regards, bert hubert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Re: is your host or dhcp server sending dns dynamic updates for rfc1918?
On Thu, Apr 18, 2002 at 04:57:59PM -0700, Paul Vixie wrote: > > according to http://root-servers.org/, dns transactions concerning rfc1918 > address space are now being served by an anycast device near you (no matter > who you might be, or where.) there will eventually be official statistics, > but i thought i'd give everybody a chance to clean up their houses first. And right you are. However, pray tell, why doesn't bind feature a simple way to not log these spurious updates? As far as I can tell lots of people want to just ignore these messages but can only do so by turning off all security logging. Please note that PowerDNS is just as silly in this respect up to 1.99.9. The next version features --log-failed-updates which defaults to off. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
PowerDNS PDNS 1.99.6 first public release
Of mild interest to readers of this list may be the first public release of what is to become PDNS 2.0 PDNS is an advanced high performance authoritative nameserver with a host of backends. Besides plain Bind configuration files, PDNS reads information from MySQL, Oracle, PostgreSQL and many other databases. Backends can easily be written in any language, a sample perl backend is provided. PDNS powers http://express.powerdns.com, a Web-based DNS maintenance site and the toplevel domain .TK. The not-for-profit release can be found on http://www.powerdns.com/pdns , documentation is on http://downloads.powerdns.com/documentation/html/ or included in the distribution. This is not yet a mature release, so your comments are appreciated. We will not spam this list further and instead invite you to join our 'pdns-users' mailinglist: http://mailman.powerdns.com/mailman/listinfo/pdns-users Thanks for your attention. Regards, bert hubert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO