Re: [swinog] .ch registrars : goodbye nic.ch, but where to go then ?
Switch answered me these three will support DNSSEC: Gandi.net OVH.com 123 domain.eu Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 Von: Silvan M. Gebhardt / Силван Гебхардт [gebha...@openfactory.ch] Gesendet: Mittwoch, 26. November 2014 13:58 An: Michael Richter Cc: swinog@lists.swinog.ch Betreff: Re: [swinog] .ch registrars : goodbye nic.ch, but where to go then ? Since you asked, I asked back since I gave a statement last week. Amenic will support DNSSEC by New Year ;) (I just poked them now again) Silvan - Ursprüngliche Mail - Von: Michael Richter mrich...@sasag.ch An: swinog@lists.swinog.ch Gesendet: Mittwoch, 26. November 2014 08:04:01 Betreff: Re: [swinog] .ch registrars : goodbye nic.ch, but where to go then ? Does anyone knows which one of the list supports DNSSEC? Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 Von: swinog-boun...@lists.swinog.ch [swinog-boun...@lists.swinog.ch]quot; im Auftrag von quot;Thomas Hug [t...@nine.ch] Gesendet: Dienstag, 25. November 2014 21:32 An: swi...@swinog.ch Betreff: Re: [swinog] .ch registrars : goodbye nic.ch, but where to go then ? On Tue, 25 Nov 2014 20:37, Stanislav Sinyagin wrote: Cool, thanks for the list. Does any of those registrars allow a 5-year payment? Because it's quite annoying to handle those little invoices every year. You can pay 100.- or 200.- instead of the one year price! At cyon this works and it worked also for the good old nic.ch. You will get 0.00 bills until your credit is used up. -Tom ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] .ch registrars : goodbye nic.ch, but where to go then ?
Does anyone knows which one of the list supports DNSSEC? Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 Von: swinog-boun...@lists.swinog.ch [swinog-boun...@lists.swinog.ch]quot; im Auftrag von quot;Thomas Hug [t...@nine.ch] Gesendet: Dienstag, 25. November 2014 21:32 An: swi...@swinog.ch Betreff: Re: [swinog] .ch registrars : goodbye nic.ch, but where to go then ? On Tue, 25 Nov 2014 20:37, Stanislav Sinyagin wrote: Cool, thanks for the list. Does any of those registrars allow a 5-year payment? Because it's quite annoying to handle those little invoices every year. You can pay 100.- or 200.- instead of the one year price! At cyon this works and it worked also for the good old nic.ch. You will get 0.00 bills until your credit is used up. -Tom ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Mailserver migration problems with Apple devices
Hi there does anybody have experience with mailserver migration and apple clients. We have no changed the ip address of our mailserver - we have changed the A Record from mail.xy.ch to a new IP. Since then we've a lot of calls from clients which are unable to receive mails. On the iPhones, the authentication option has gone!!. When the customer set its back to password it's working again. But I had also some OS X Mail which had the right settings, but didn't work. I had to configure the account from scratch. So it's defnitely an Apple Problem. Does anybody now why this is not working or why the settings are changed from the device itselfs? Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] SwissIX / google
Yes we're having also troubles with google responses. Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 Von: swinog-boun...@lists.swinog.ch [swinog-boun...@lists.swinog.ch] im Auftrag von Matias Meier [me...@matias.ch] Gesendet: Donnerstag, 29. August 2013 11:02 An: 'swi...@swinog.ch' Betreff: [swinog] SwissIX / google Hello It seems that googles swissix link is down… Google isn’t reachable from the Green network, also from iWay 8.8.8.8 isn’t reachable. From Cyberlink and from Cablecom it seems tob e OK. Anyone else have problems? Freundliche Grüsse Matias Meier ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] DNS amplification attack (bfhmm.com in TXT)
Anyone else see such packets on his DNS servers? I've just blocked that query. http://blog.righter.ch/?p=581 no comments if it's not the best idea :-)) Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
I have the same issue since some weeks. The problem is that the customer does not understand the problem. So if Netgear has solved the problem in a new firmware the customer should update it, but does he knows how to do this??? What can you do to limit this stupid traffic: - rate limit the queries per customer (not really a good idea) - rate limit this special kind of queries. (that's the best way at the moment) I haven't had the time to look into the packets to limit this queries. If they are all similiar you can set up a drop filter in the iptables like you should already have with the isc.org ANY requests. - Problem not really solved but you should be happy with this :-) the rule should be: $IPTABLES -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|FF0001|' -m recent --set --name dnsanyquery $IPTABLES -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|FF0001|' -m recent --name dnsanyquery --rcheck --seconds 600 --hitcount 3 -j DROP but what's the hex string for this kind of query. anybody got it? Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 Von: swinog-boun...@lists.swinog.ch [swinog-boun...@lists.swinog.ch]quot; im Auftrag von quot;Benoit Panizzon [benoit.paniz...@imp.ch] Gesendet: Freitag, 24. Mai 2013 12:03 An: swi...@swinog.ch Betreff: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record? Heyo! Any others who are being affected? It looks like our customers Netgear routers (known ones: WNR3500Lv2, WNDR4500) are asking our DNS Server for the A record of: time-g.netgear.com or time- a.netgear.com Instead of an A record reply, they get a CNAME as answer with additional information the A record of that CNAME. That is what netgear has published on their DNS Servers. Those routers are not happy with that reply and just start sending several hundred requests per second for A time-g.netgear.com resulting in considerable load and traffic on our DNS caches. Some customers have already transfered 35GB of DNS traffic, only since today midnight. I have contacted netgear technical support. The issue is yet unknown to them. They got my pcap files to analyze :-) Any others observing that behaviour of netgear products? Any know remedies? Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] WG: DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Hmm I thought it is better you'll do the rate limiting on a lower layer. It's the same fix. you give the customer x queries in y time. But with RRL I think every query is counted. With iptables you can say, just count the ANY queries. So it's more specific Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrich...@sasag.ch 052 633 01 71 Von: Jeroen Massar [jer...@massar.ch] Gesendet: Freitag, 24. Mai 2013 13:43 An: Michael Richter Cc: Benoit Panizzon; swi...@swinog.ch Betreff: Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record? On 2013-05-24 12:52 , Michael Richter wrote: [..] What can you do to limit this stupid traffic: - rate limit the queries per customer (not really a good idea) - rate limit this special kind of queries. (that's the best way at the moment) I haven't had the time to look into the packets to limit this queries. If they are all similiar you can set up a drop filter in the iptables like you should already have with the isc.org ANY requests. - Problem not really solved but you should be happy with this :-) [..] but what's the hex string for this kind of query. anybody got it? You want to deploy RRL. iptables is not the right location for doing this kind of stuff as you will have false positives. Please see http://www.redbarn.org/dns/ratelimits Greets, Jeroen ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Thanks Gregor!! that was exactly what I was looking for. have a nice weekend --- You want to deploy RRL. iptables is not the right location for doing this kind of stuff as you will have false positives. Please see http://www.redbarn.org/dns/ratelimits I agree that iptables might not be the perfect solution for that, however, as we have also been confronted with that problem some months ago with a lot of affected devices (each with 1000pps of those queries) we have limited those queries for some time as it is easy to deploy quickly. At that point of time time-g.netgear.com had no entry at all so the clients did not stop with the folding. Today it looks a little different, as there is at least a cname for that entry. We have used the u32 module for matching, we check name=time-g.netgear.com and type=A within the query. The matching line looks like: iptables -A INPUT -p udp --dport 53 -m u32 --u32 0x00x160x3c@0x14=0x674696d0x00x160x3c@0x18=0x652d67070x00x160x3c@0x1c=0x6e6574670x00x160x3c@0x20=0x656172030x00x160x3c@0x24=0x636f6d000x00x160x3c@0x280x=0x1 -j YOUR_CHAIN_OR_WHATEVER You can then use the limit module for example. Just as a thought, maybe it would change something to send the clients a ntp server in the dhcp response, as it is obviously looking for an ntp server. Has someone maybe already tried that? Cheers, Gregor ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Looking for a new mailsystem
Hi there We are looking for a new mailsystem can anyone recommend a swiss company who can deliver us an open source mail system also with support? It should be open source based. We have over 13'000 mailboxes, for me these are a lot, for others it's tiny :-) We aren't having enough men-power to build such a system ourself. I'm glad for every response thanks michael Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter dipl. Techniker HF Mühlenstrasse 21 8201 Schaffhausen mrich...@sasag.ch 052 633 01 71 www.sasag.ch ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] some one interested in NI-MLX-1Gx20 cards
Hi I have two used Brocade NI-MLX-1Gx20-GC which I will sell. If someone is interested please send me a mail. I checked the compatiblity and this card should run in the following devices: - MLX (SFM and hSFM) - MLXe with MLX or MR2 MGMT Freundliche Grüsse sasag Kabelkommunikation AG Michael Richter dipl. Techniker HF Mühlenstrasse 21 8201 Schaffhausen mrich...@sasag.ch 052 633 01 71 www.sasag.ch ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Message delivery to sunrise
Same here, once the connection works, perhaps heavy load. Sunrise support says no problems.. Freundliche Grüsse Michael Richter dipl. Informatiker HF sasag Kabelkommunikation AG Mühlenstrasse 21 8201 Schaffhausen Tel: 052 633 01 71 E-Mail: mrich...@sasag.ch -Ursprüngliche Nachricht- Von: swinog-boun...@lists.swinog.ch [mailto:swinog-boun...@lists.swinog.ch] Im Auftrag von JACOT-DESCOMBES Antoine Gesendet: Montag, 21. November 2011 11:23 An: swinog@lists.swinog.ch; Stefan Rothenbuehler Betreff: Re: [swinog] Message delivery to sunrise Hello, Here at University of Neuchatel, we also see some messages for sunrise.ch domain in retry state in our outgoing mail servers. Regards, Antoine -Message d'origine- De : swinog-boun...@lists.swinog.ch [mailto:swinog-boun...@lists.swinog.ch] De la part de Stefan Rothenbuehler Envoyé : lundi 21 novembre 2011 11:03 À : Objet : [swinog] Message delivery to sunrise Hello We currently experiencing problems delivering mail to mx.sunrise.ch and our queues are growing. Is anybody else experiencing problems delivering mail to sunrise? Regards, Stefan Stefan Rothenbuehler System Engineer Messaging Swisscom (Switzerland) Ltd. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog