On Mon, 29 Mar 2010, Kevin Oberman wrote:
Fix your security officers!
I have talked to multiple security officers (who are generally not
really knowledgeable on networks) who had 53/tcp blocked and none have
yet agreed to change it. The last one told me that blocking 53/tcp is
"standard industry
> "Kevin Oberman" writes:
> > He said that if the protocols would not handle blocked 53/tcp, the
> > protocols would have to be changed. Opening the port was simply not
> > open to discussion.
>
> Do they also believe that all DNS replies are less than 512 bytes? :-)
Sure, why not.
The phrase "
"Kevin Oberman" writes:
> He said that if the protocols would not handle blocked 53/tcp, the
> protocols would have to be changed. Opening the port was simply not
> open to discussion.
Do they also believe that all DNS replies are less than 512 bytes? :-)
Tony.
--
f.anthony.n.finchhttp://d
On Tue, Mar 30, 2010 at 05:43:25PM +0900, Randy Bush wrote:
> >>> I have talked to multiple security officers (who are generally not
> >>> really knowledgeable on networks) who had 53/tcp blocked and none
> >>> have yet agreed to change it.
> >> patience. when things really start to break, and
"Kevin Oberman" writes:
> He said that if the protocols would not handle blocked 53/tcp, the
> protocols would have to be changed. Opening the port was simply not
> open to discussion.
Let me guess: They also completely blocked ICMP. I always tell these
customers to switch to IPv6 real fast and
Robert Kisteleki (robert) writes:
> I must observe that these are not really the links you'd want to
> give your end users to check out. Their audience is very different.
> While the article on RIPE Labs comes close, they don't really answer
> the "does it work or does it not?" question with a gree
I must observe that these are not really the links you'd want to give your
end users to check out. Their audience is very different. While the article
on RIPE Labs comes close, they don't really answer the "does it work or does
it not?" question with a green/red light, and they don't provide a g
Randy Bush (randy) writes:
>
> i.e. what can we do to maximize the odds that the victim will quickly
> find the perp, as opposed to calling our our tech support lines?
Ah yes, there was the second good reason for actually helping netops
and security officers :)
Tools:
Randy Bush (randy) writes:
> patience. when things really start to break, and the finger of fate
> points at them, clue may arise.
>
When this issue was brought up on the OARC dns-operations list,
and it was suggested to make some simply factsheets (a bit like
ICANN's IPv
On Tue, 30 Mar 2010 15:59:08 +0900, Randy Bush said:
> > I have talked to multiple security officers (who are generally not
> > really knowledgeable on networks) who had 53/tcp blocked and none have
> > yet agreed to change it.
>
> patience. when things really start to break, and the finger of fa
>>> I have talked to multiple security officers (who are generally not
>>> really knowledgeable on networks) who had 53/tcp blocked and none
>>> have yet agreed to change it.
>> patience. when things really start to break, and the finger of fate
>> points at them, clue may arise.
> 36 days u
On 30 Mar 2010, at 07:59, Randy Bush wrote:
I have talked to multiple security officers (who are generally not
really knowledgeable on networks) who had 53/tcp blocked and none
have yet agreed to change it.
patience. when things really start to break, and the finger of fate
points at th
> I have talked to multiple security officers (who are generally not
> really knowledgeable on networks) who had 53/tcp blocked and none have
> yet agreed to change it.
patience. when things really start to break, and the finger of fate
points at them, clue may arise.
randy
> From: Joe Abley
> Date: Fri, 26 Mar 2010 10:06:02 -0700
>
> On 2010-03-26, at 06:40, Max Larson Henry wrote:
>
> >>> has someone experience in anycast ipv4 networks (to support DNS)?
> >>
> >> "Never been done" "Dangerous" "TCP does not work" etc etc etc.
> >
> > - Yes but as for DNS, anycas
On Fri, 26 Mar 2010 14:24:21 +0100
Jeroen Massar wrote:
> InterNetX - Lutz Muehlig wrote:
> > Hello,
> >
> > has someone experience in anycast ipv4 networks (to support DNS)?
>
> "Never been done" "Dangerous" "TCP does not work" etc etc etc.
>
> I assume quite a number of people know how to do
On 2010-03-26, at 10:04, Owen DeLong wrote:
> It doesn't require an unstable routing table. There is a small set of
> locations that could hit routers with multipath that may "balance"
> the anycast packets down divergent paths.
>
> Essentially, these are the topological midpoints between any t
On Mar 26, 2010, at 6:55 AM, Jeroen Massar wrote:
Max Larson Henry wrote:
has someone experience in anycast ipv4 networks (to support DNS)?
"Never been done" "Dangerous" "TCP does not work" etc etc etc.
- Yes but as for DNS, anycast is essentially used for user requests
(UDP) not to p
On 2010-03-26, at 06:40, Max Larson Henry wrote:
>>> has someone experience in anycast ipv4 networks (to support DNS)?
>>
>> "Never been done" "Dangerous" "TCP does not work" etc etc etc.
>
> - Yes but as for DNS, anycast is essentially used for user requests (UDP)
> not to perform zone transfe
On Mar 26, 2010, at 6:40 AM, Max Larson Henry wrote:
has someone experience in anycast ipv4 networks (to support DNS)?
"Never been done" "Dangerous" "TCP does not work" etc etc etc.
- Yes but as for DNS, anycast is essentially used for user requests
(UDP)
not to perform zone transfer(TC
On 2010-03-26, at 06:21, InterNetX - Lutz Muehlig wrote:
> has someone experience in anycast ipv4 networks (to support DNS)?
This is a general reference that tries hard not to be DNS-specific:
http://www.ietf.org/rfc/rfc4786.txt
These are two papers written whilst at ISC describing many aspe
In message <4828.1269611...@localhost>, valdis.kletni...@vt.edu writes:
> --==_Exmh_1269611568_4209P
> Content-Type: text/plain; charset=us-ascii
>
> On Fri, 26 Mar 2010 09:40:39 EDT, Max Larson Henry said:
>
> > - Yes but as for DNS, anycast is essentially used for user requests (UDP)
> > not t
* Jeroen Massar:
> Simple recipe:
> - Box with:
>- Your favourite OS
>- Quagga or OpenBGPd
>- Your favourite DNS server
> - Announce the IP of the anycast node in BGP
> - Monitor the DNS server, when it does not work kill your local BGPd
>and notify the admins that it broke
Thi
Max Larson Henry wrote:
>
> > has someone experience in anycast ipv4 networks (to support DNS)?
>
> "Never been done" "Dangerous" "TCP does not work" etc etc etc.
>
>
> - Yes but as for DNS, anycast is essentially used for user requests
> (UDP) not to perform zone transfer(TCP).
Also t
On Fri, 26 Mar 2010 09:40:39 EDT, Max Larson Henry said:
> - Yes but as for DNS, anycast is essentially used for user requests (UDP)
> not to perform zone transfer(TCP).
DNS uses TCP for more than just XFR. For instance, if you're running a
resolver that doesn't do EDNS0, and you hit an (increas
> > > has someone experience in anycast ipv4 networks (to support DNS)?
> >
> > "Never been done" "Dangerous" "TCP does not work" etc etc etc.
>
> - Yes but as for DNS, anycast is essentially used for user requests (UDP)
> not to perform zone transfer(TCP).
How-to with working configurations for
On Mar 26, 2010, at 9:24 AM, Jeroen Massar wrote:
> InterNetX - Lutz Muehlig wrote:
>> Hello,
>>
>> has someone experience in anycast ipv4 networks (to support DNS)?
>
> "Never been done" "Dangerous" "TCP does not work" etc etc etc.
Can't really tell if you're being serious here due to caffein
> > has someone experience in anycast ipv4 networks (to support DNS)?
>
> "Never been done" "Dangerous" "TCP does not work" etc etc etc.
>
- Yes but as for DNS, anycast is essentially used for user requests (UDP)
not to perform zone transfer(TCP).
-M
InterNetX - Lutz Muehlig wrote:
> Hello,
>
> has someone experience in anycast ipv4 networks (to support DNS)?
"Never been done" "Dangerous" "TCP does not work" etc etc etc.
I assume quite a number of people know how to do it, especially as
several root DNS servers abuse it.
Simple recipe:
- B
Hello,
has someone experience in anycast ipv4 networks (to support DNS)?
Regards
Lutz
29 matches
Mail list logo