nanog mailing list archives
Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
From: Jared Mauch <jared () puck Nether net>
Date: Tue, 4 Aug 2015 14:57:10 -0400
On Wed, Aug 05, 2015 at 02:39:18AM +1000, Mark Andrews wrote:
In message <9C2ACA5A-755D-4FCF-8491-745A1F9111BA () puck nether net>, Jared Mauch writes:I recommend using DNSDIST to balance traffic at a protocol level as you can h= ave implementation diversity on the backside.=20 I can send an example config out later for people. You can balance to bind N= SD and others all at the same time :-) just move your SPoF Jared MauchUnless the same client hits the same server all the time this is a bad idea.
Software that can't handle the remote side having a
upgrade/downgrade/capability change is broken.
Resolvers actually track capabilities of servers as it is the only way to get answers due to firewalls dropping legitimate packet and protocol misimplementations. Add to that different vendors / versions supporting different extensions randomly flipping between vendors / versions is frought with danger unless you take extreme care.
I've come to use DNSDist to workaround the problems
that BIND has with outstanding queries which don't get a response.
You might be surprised how poorly BIND performs if you
use something else to take a look at it from the exterior.
http://puck.nether.net/~jared/dnsdist.png
The first two are BIND the 3rd is not and the 4th is BIND.
The last 3 get the same types of queries, notice how BIND
drops lots of queries. I don't have time to report all the DNS related
issues on bind-users/dev but you may find it helpful to use a tool
like this to at least identify what is going on.
The last 3 servers get only domains like arpa and a few well
known domains, eg: gmail.
- Jared
On Aug 4, 2015, at 10:03 AM, Jay Ashworth <jra () baylink com> wrote: Everyone got BIND updated?http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c ould-hamstring-huge-swaths-of-internet/-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
-- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- RES: RES: Exploits start against flaw that could hamstring huge swaths of, (continued)
- RES: RES: Exploits start against flaw that could hamstring huge swaths of Leonardo Oliveira Ortiz (Aug 06)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Jay Ashworth (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths Joe Greco (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths Baldur Norddahl (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths Christopher Morrow (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths Baldur Norddahl (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Valdis . Kletnieks (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Mark Andrews (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Damian Menscher via NANOG (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Jared Mauch (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Joe Abley (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Jared Mauch (Aug 04)