Re: DNS: Definitely Not Safe?
Joe Abley [EMAIL PROTECTED] writes: i thought it was actually covered on-list... during the event, no? I don't think it was especially covered on this list (you are no doubt thinking of other lists). There was a lightning talk about it in Toronto, for which slides can be found in the usual place. I think between the list and the lightning talk, it got the level of attention it deserved. ---rob
DNS: Definitely Not Safe?
Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks. Despite well-publicized attacks on domain name servers in 2000 and 2001, evidence suggests that many companies simply have not taken the steps necessary to protect this vital part of their networks. Experts differ on just how much danger companies generally face. However, they seem to agree that, depending on the circumstances and the company, the results could include electronic attacks and unknowingly providing confidential information to competitors. -- http://www.csoonline.com/read/020107/fea_dns.html?source=nlt_csoupdate Abraços, Marlon Borba, CISSP, DataCenter Associate Técnico Judiciário - Segurança da Informação TRF 3ª Região (11) 3012-1683 -- 1997-2007 - Dez Anos da DSUP. Conhecimento Gerando Soluções. --
Re: DNS: Definitely Not Safe?
MARLON BORBA wrote: Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks. Despite well-publicized attacks on domain name servers in 2000 and 2001, evidence suggests that many companies simply have not taken the steps necessary to protect this vital part of their networks. Experts differ on just how much danger companies generally face. However, they seem to agree that, depending on the circumstances and the company, the results could include electronic attacks and unknowingly providing confidential information to competitors. I am not shure wether the author isn't walking beside his shoes. DNS is like a telephone book. Yes it is dangerous to have your telephone number listed in a publicly available book. We should forbid telephone books and the world would me much safer? If you are afraid of people using axfr to slave a nameserver then dont publish it. Use /etc/hosts not DNS and best dont tell anybody your ip-address. In some places (Africa ?) root-servers may be difficult to see, so why not clone them and have the root on your local network? If they are attacked again - no problem. Your personal root-server will survive at least a month without them. Of course you need axfr transfers to do that. I dont know how you can use axfr transfers to DoS somebody else but yourself. It is a tcp connection after all. You need to be connected. Overloading electricity supply like the NSA tries to do is a lot more efficent. Rests recursive nameservers, resolvers. Yes, that could help. Forbid all publicly available resolvers including those of your ISP then attackers, mostly running windows in their botnets will not find their targets any longer. The big problem is IT-personal relying on windows for their backbones. You cannot help them, only an attack can. I remember companies used to run their own internal nameservers. Why dont they do it any longer? DNS has become so much more relyable that they dont need to. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: DNS: Definitely Not Safe?
On Wed, Feb 14, 2007 at 09:20:38AM -0200, MARLON BORBA [EMAIL PROTECTED] wrote a message of 21 lines which said: Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks. It may be on-topic but it is full of FUD, mistakes and blatant b...t. Certainly not the recommended reading for the sysadmin. The best stupid sentence is the one asking firewalls in front of the DNS servers... to prevent tunneling data over DNS!
Re: DNS: Definitely Not Safe?
[EMAIL PROTECTED] (Stephane Bortzmeyer) writes: It may be on-topic but it is full of FUD, mistakes and blatant b...t. Certainly not the recommended reading for the sysadmin. i think you're being way to kind here. The best stupid sentence is the one asking firewalls in front of the DNS servers... to prevent tunneling data over DNS! just as the most common lie told by spammers is dear friend, so it is that the biggest error in this piece is in the first sentence: When it comes to the Web's domain name system (DNS), this guy was probably writing netware-vs-smb comparisons during the two decades that the internet existed before the web came along. the web is an internet application, and the dns is part of the internet, not part of the web. the rest of the article is equally horrific in its maltreatment and ignorance of facts. -- Paul Vixie
Re: DNS: Definitely Not Safe?
On Wed, 2007-02-14 at 18:01 +, Paul Vixie wrote: the rest of the article is equally horrific in its maltreatment and ignorance of facts. It's an article in a CxO type magazine did anyone really expect anything better? -Jim P. signature.asc Description: This is a digitally signed message part
Re: DNS: Definitely Not Safe?
mea culpa, mea maxima culpa :-( my intention, when suggested that reading, was to get your attention about that recent attack which targeted DNS top-level servers and to listen your opinions. i promise not to post porn, ops, FUD material to nanog again. Abraços, Marlon Borba, CISSP, DataCenter Associate Técnico Judiciário - Segurança da Informação TRF 3ª Região (11) 3012-1683 -- 1997-2007 - Dez Anos da DSUP. Conhecimento Gerando Soluções. -- Paul Vixie [EMAIL PROTECTED] 14/2/2007 15:01:09 [EMAIL PROTECTED] (Stephane Bortzmeyer) writes: It may be on-topic but it is full of FUD, mistakes and blatant b...t. Certainly not the recommended reading for the sysadmin. i think you're being way to kind here. The best stupid sentence is the one asking firewalls in front of the DNS servers... to prevent tunneling data over DNS! just as the most common lie told by spammers is dear friend, so it is that the biggest error in this piece is in the first sentence: When it comes to the Web's domain name system (DNS), this guy was probably writing netware-vs-smb comparisons during the two decades that the internet existed before the web came along. the web is an internet application, and the dns is part of the internet, not part of the web. the rest of the article is equally horrific in its maltreatment and ignorance of facts. -- Paul Vixie
Re: DNS: Definitely Not Safe?
On Wed, 14 Feb 2007, MARLON BORBA wrote: my intention, when suggested that reading, was to get your attention about that recent attack which targeted DNS top-level servers and to i thought it was actually covered on-list... during the event, no? listen your opinions. i promise not to post porn, ops, FUD material to nanog again. no one said anything about porn...
Re: DNS: Definitely Not Safe?
On Wed, Feb 14, 2007 at 04:22:44PM -0200, MARLON BORBA wrote: mea culpa, mea maxima culpa :-( my intention, when suggested that reading, was to get your attention about that recent attack which targeted DNS top-level servers and to listen your opinions. i promise not to post porn, ops, FUD material to nanog again. Abraços, Marlon Borba, CISSP, DataCenter Associate Técnico Judiciário - Segurança da Informação TRF 3ª Região (11) 3012-1683 -- 1997-2007 - Dez Anos da DSUP. Conhecimento Gerando Soluções. -- what is interesting to me is the ripple effect - kind of like the childrens game of telephone. second, third, and fourth hand interpretation of the events allows the reporter to project their own worst nightmares onto the event ... for some, its a way to raise the spector of fear, giving them credence or the opportunity to market their particular services to the huddled, fearful masses. and to borrow a line from another bit of this thread, http and dns are both applications. applications are vulnerable to attacks that exploit the underlaying protocols. the BEST we can do, w/o replacing IP TCP/UDP is instrument the applications to alert us that there is a problem. And the actions you (as the target of packet love) take may make your local life manageable, (compartmentalization) can have devestating impact on your peers/neighbors. so don't worry, your posts seem fine to me --bill
Re: DNS: Definitely Not Safe?
On 14-Feb-2007, at 13:38, Chris L. Morrow wrote: On Wed, 14 Feb 2007, MARLON BORBA wrote: my intention, when suggested that reading, was to get your attention about that recent attack which targeted DNS top-level servers and to i thought it was actually covered on-list... during the event, no? I don't think it was especially covered on this list (you are no doubt thinking of other lists). There was a lightning talk about it in Toronto, for which slides can be found in the usual place. Joe
Re: DNS: Definitely Not Safe?
I don't think it was especially covered on this list (you are no doubt thinking of other lists). There was a lightning talk about it in Toronto, for which slides can be found in the usual place. or I was thinking 'nanog meeting' not 'nanog list' :( oh well.
Re: DNS: Definitely Not Safe?
--- [EMAIL PROTECTED] wrote: From: Chris L. Morrow [EMAIL PROTECTED] listen your opinions. i promise not to post porn, ops, FUD material to nanog again. no one said anything about porn... - router porn? Ohh, I never thought about that. Time to go to on a web search... ;-) scott