[moving this to BALUG-Talk - as at least my mostly general responses aren't really all that highly BALUG (admin) specific]
Thanks for the excellent review! :-)
Some comments, etc, in-line below:
From: "Rick Moen" rick@linuxmafia.com Subject: [BALUG-Admin] balug.org DNS review Date: Wed, 27 Sep 2017 09:25:12 -0700
Just checking on things, in the wake of the departure from Dreamhost.
Yea departing DreamHost.com!!! (A.k.a. nightmare host <sigh>).
- We have three nameservers. This is in the recommended range,
barely: RFC2182 section 5 recommends at least 3. RFC1912 section 2.8 recommends no more than 7.
If we have one or two more friends running auth nameservers, adding them would be gravy.
Or, ... even not bother a friend and ... There are some free/complementary DNS slave services out there for the taking by any and/or all ... most of 'em suck (perhaps some exceptions?)
However, probably of note and worthy of consideration ...
balug.org has registrar gandi ... gandi offers complimentary DNS slave services. Now, I wouldn't want to be (too) dependent upon any given registrar, but, as far as I'm aware and what I've seen thus far, gandi's DNS complimentary slave service is basically rock solid and good - only minor thing I've noticed is updates - it either ignores them, or takes some modest bit of time to process them. But it does fully respect the TTLs and relevant SOA times, so as far as I'm aware all is fully within required specifications. I do have at least one (other) domain that uses gandi slave DNS for *one* (and only one) of its slave DNS servers ... so again - not too much in the way of dependencies, and sufficiently easy to break free should there ever be need/reason.
Another possible freebie worthy of considering - he.net - with account (which BALUG has, and uses for its IPv6 tunnel), complimentary DNS slave services are also offered. They seem to mostly/basically be quite "good", but come with a few caveats of note. They support *most* - but not *all* - RR types. So ... that's potentially an issue. As for updates, same kind of deal as gandi - except I think he.net explicitly ignores update notifications; but again, works fine regarding TTLs and SOA timing values. But a few more caveats for he.net free DNS. The setup is a bit funky - no way to introduce it without some DNS gotchas when being implemented. Notably (at last I futzed with it), one has to put the delegation in place *first* - so there will be some non-zero time when one has lame NS server(s) - basically after they're delegated, but before they pull and serve the zone data - and they won't pull and serve the zone data until their DNS data checks show that they're delegated - kind'a a Catch-22. Also, don't know that one can feasibly do less than *all* of he.net's DNS servers - they give you a set, they expect you to delegate to them. If they find you're not delegated to them, they drop the service. And ... is that an all or nothing? Doesn't seem to be specified in their documentation, so ... results of delegating less than the full set may be unspecified. *Other* than those few significant caveats, as far as I'm aware, their DNS slave service works perfectly fine - I had (maybe still have?) it on some domain(s) I dealt with. May have dropped it due to the particular limitations and such, though. Oh, and one other possible caveat ... been a while since I read their documents ... there *may* be some traffic limit/caveat? ... or maybe not - I don't recall, I'd have to look over their documentation again.
Anyway, yes, those (gandi complimentary and he.net free) DNS slave services, have some potential issues/limitations to consider ... but to give 'em credit too, also have some advantages. Notably they are pretty darn high availability. So that's more than many can offer strung at home on the end of a DSL or cable line or such, or even some host - even if it's in a colo or cloud or the like - if it doesn't have a high availability partner. Then again, for the infrastructure much of such DNS supports, particularly high availability on the DNS can be overkill - when all the services themselves may not be that high in reliability/availability. But still - dang important to have good solid DNS ... as when *that* is down solid - clients on The Internet can't in general even find out that what they're trying to get to is up or down or what the status is, and this also tends to cause or further complicate issues with various services (e.g. SMTP, among others).
So ... yes, ... adding a reasonably good reliable (needn't be super high on the reliability) DNS server would be a good thing, ... or more than one, up to total count of about 7 (precise maximum that's still optimal also depends upon the length of the domain name and some other DNS data factors ... e.g. optimal maximum for root (.) is a number larger than 7 ... but root domain (.) also has the shortest possible domain name. For domain names that are highly long, optimal maximum may be somewhat lower than 7 ... but 7 is optimal maximum for *most* typical domain names.
- No glue records for one nameserver (ns1.linuxmafia.com), because it
is out-of-bailiwick for the .org TLD nameservers. This means queries to it are just a little slower than to the other two for which glue information gets supplied.
If you want to fix that, assign my nameserver IP (198.144.195.186) the name NS2.BALUG.ORG in the domain record, removing the entry for NS1.LINUXMAFIA.COM. That fixes the glue records at the parent (.org) zone. And then don't forget to make the same switch in the in-zone records served at master nameserver NS1.BALUG.ORG.
Yes, thanks, noted ... will probably get around to that (time, priorities, that one is modest work for only slight/teensy gain ... so ... will likely take longer to get to it).
- Information leakage. NS1.BALUG.ORG / 198.144.194.238 answers
(correctly) CHAOS class queries about its version.
:r! dig version.bind txt chaos @NS1.BALUG.ORG +short "9.9.5-9+deb8u14-Debian"
It'd be a good idea to turn this off. I like to return amusing lies, myself. My stanza in /etc/bind/named.conf.options :
options { directory "/var/cache/bind"; version "Shirley, you're joking"; hostname "ns1.linuxmafia.com"; //server-id is essentially redundant to hostname, default is none //server-id none; auth-nxdomain no; # conform to RFC1035 allow-recursion { [redacted] }; allow-query { [redacted] }; dnssec-validation yes; };
Ah yes. :-) "Of course", there's almost always tradeoffs regarding security. E.g. convenience/speed vs. ... well, security and some information not being so convenient/available.
As for DNS server identifying its software/version ... what [il]legitimate uses for that? Well, there's negligible legitimate use, so general best practice is to disable that - or put in some bogus or intentionally misleading string. Legitimate uses of it being there? Mostly negligible ... but there are some slight ones. E.g. for local or secured environments/networks, can be useful/convenient. E.g. not much harm/risk exposing it on 127.0.0.1 and ::1. But ... open to The Internet ... makes it easier for bots/attackers to know the specific target software ... and thus more likely to be able to successfully attack. However, even if the information isn't made available, software can be probed/"fingerprinted", so even if the version information is disabled or altered, attackers may still figure out - if not precisely the target version - at least often approximately the target software and approximate version or some version range. So ... it's bit of tradeoff ... make the information (much) less accessible (or not) - and make attacker's challenge some fair bit more difficult (but not hugely more difficult). Oh, I did say some negligible legitimate uses ... even on The Internet - software surveys - those *can* be used for legitimate purposes. Can also be abused - particularly if the data isn't quickly rolled up into the aggregate, but hangs around (or leaks) with specific IPs and corresponding software information, etc. ... and especially if that is leaked or exposed in bulk.
I'm also curious - and don't recall - been long time since I read about it ... txt chaos ... that mechanism was put in BIND many many moons ago. Is it entirely (or mostly) unique to BIND? ... in which case even serving up a "dummy" answer would identify it as some flavor of BIND server. Or ... has other DNS server software adopted that same mechanism for reporting version (most notably if it's in as a default - I think most DNS software can do class CHAOS, though probably almost nobody explicitly implements such). Anyway, depending on the various DNS server software behavior - it may be better to, if feasible, disable that response rather than just put in some dummy response. Anyway, ... I'm curious what current best practice is in that regard for DNS servers - and BIND DNS servers. And I don't think I've any issues with, e.g. disabling it. I think thus so far in my life I've used it one to perhaps a few times. It's a "feature" (offering up its software and version information via DNS query) which is of very close to zero legitimate usefulness.
But wait, there's more, you also get ...!!!
From: "Michael Paoli" Michael.Paoli@cal.berkeley.edu Subject: Re: [BALUG-Admin] balug.org DNS review Date: Wed, 27 Sep 2017 20:53:38 -0700
[moving this to BALUG-Talk - as at least my mostly general responses aren't really all that highly BALUG (admin) specific]
Thanks for the excellent review! :-)
Some comments, etc, in-line below:
From: "Rick Moen" rick@linuxmafia.com Subject: [BALUG-Admin] balug.org DNS review Date: Wed, 27 Sep 2017 09:25:12 -0700
- Information leakage. NS1.BALUG.ORG / 198.144.194.238 answers
(correctly) CHAOS class queries about its version.
:r! dig version.bind txt chaos @NS1.BALUG.ORG +short "9.9.5-9+deb8u14-Debian"
$ dig +noall +answer +norecurse @ns1.balug.org. hostname.bind TXT CHAOS hostname.bind. 0 CH TXT "balug-sf-lug-v2.balug.org" $
So ... we also have ... https://www.ietf.org/rfc/rfc4892.txt and: id.server hostname.server version.server "has been copied by several name server vendors"
Anyway, ... for the DNS server software at hand ... # hostname && cd /etc/bind*/ && pwd -P && co -l -M named.conf.options balug-sf-lug-v2.balug.org /var/lib/named/etc/bind RCS/named.conf.options,v --> named.conf.options revision 1.6 (locked) done # sed -ne 's///.*$//;/^[ ]*$/d;p' named.conf.options options { directory "/var/cache/bind"; key-directory "/var/cache/bind/keys"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; # ex named.conf.options named.conf.options: unmodified: line 26 :/^}; }; :i version none; hostname none; server-id none; . :w named.conf.options: 29 lines, 749 characters :q # sed -ne 's///.*$//;/^[ ]*$/d;p' named.conf.options options { directory "/var/cache/bind"; key-directory "/var/cache/bind/keys"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; version none; hostname none; server-id none; }; # ~/bin/Named-checkconf # (cd / && umask 022 && systemctl reload bind9) # $ dig +noall +answer +norecurse +comments @ns1.balug.org. version.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49907 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. hostname.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27923 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. id.server TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43870 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ Hmmmm... I might've expected NXDOMAIN ... but ... close enough. Can further review and possibly further review later ... but "good enough" for now on that one. # ci -d -u -M -m'disable information leakage & potential' named.conf.options RCS/named.conf.options,v <-- named.conf.options new revision: 1.7; previous revision: 1.6 done #
Anyway, that probably covers things "well enough" for the information leakage / built-in CHAOS stuff.
And in case anyone's wondering, AXFR is generally open to all (likewise for sf-lug.org. and sf-lug.com.) - really nothing to or worthy of hiding in the DNS data records for the LUGs. Does also help out some (legit) project(s) that try to use (at least in part) DNS to map out The Internet (though even in those cases, could, if one wanted to restrict, allow AXFR from those IP(s), but not The Internet at large).
So yes, haven't surveyed the landscape, but seems likewise at least some other DNS server software - besides BIND, has likewise implemented same or similar (mis)features on handing out version and other information in same or similar manner.
And ... defaults matter. At least version and distribution I'm dealing with, id.server is disabled by default (but I also explicitly disabled it, to play it safe(er) - notably should the default ever change). But the others weren't disabled by default.
It'd be a good idea to turn this off. I like to return amusing lies, myself. My stanza in /etc/bind/named.conf.options :
options { directory "/var/cache/bind"; version "Shirley, you're joking"; hostname "ns1.linuxmafia.com"; //server-id is essentially redundant to hostname, default is none //server-id none; auth-nxdomain no; # conform to RFC1035 allow-recursion { [redacted] }; allow-query { [redacted] }; dnssec-validation yes; };
Ah yes. :-) "Of course", there's almost always tradeoffs regarding security. E.g. convenience/speed vs. ... well, security and some information not being so convenient/available.
As for DNS server identifying its software/version ... what [il]legitimate uses for that? Well, there's negligible legitimate use, so general best practice is to disable that - or put in some bogus or intentionally misleading string. Legitimate uses of it being there? Mostly negligible ... but there are some slight ones. E.g. for local or secured environments/networks, can be useful/convenient. E.g. not much harm/risk exposing it on 127.0.0.1 and ::1. But ... open to The Internet ... makes it easier for bots/attackers to know the specific target software ... and thus more likely to be able to successfully attack. However, even if the information isn't made available, software can be probed/"fingerprinted", so even if the version information is disabled or altered, attackers may still figure out - if not precisely the target version - at least often approximately the target software and approximate version or some version range. So ... it's bit of tradeoff ... make the information (much) less accessible (or not) - and make attacker's challenge some fair bit more difficult (but not hugely more difficult). Oh, I did say some negligible legitimate uses ... even on The Internet - software surveys - those *can* be used for legitimate purposes. Can also be abused - particularly if the data isn't quickly rolled up into the aggregate, but hangs around (or leaks) with specific IPs and corresponding software information, etc. ... and especially if that is leaked or exposed in bulk.
I'm also curious - and don't recall - been long time since I read about it ... txt chaos ... that mechanism was put in BIND many many moons ago. Is it entirely (or mostly) unique to BIND? ... in which case even serving up a "dummy" answer would identify it as some flavor of BIND server. Or ... has other DNS server software adopted that same mechanism for reporting version (most notably if it's in as a default - I think most DNS software can do class CHAOS, though probably almost nobody explicitly implements such). Anyway, depending on the various DNS server software behavior - it may be better to, if feasible, disable that response rather than just put in some dummy response. Anyway, ... I'm curious what current best practice is in that regard for DNS servers - and BIND DNS servers. And I don't think I've any issues with, e.g. disabling it. I think thus so far in my life I've used it one to perhaps a few times. It's a "feature" (offering up its software and version information via DNS query) which is of very close to zero legitimate usefulness.
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
$ dig +noall +answer +norecurse +comments @ns1.balug.org. version.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49907 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. hostname.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27923 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. id.server TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43870 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ Hmmmm... I might've expected NXDOMAIN ... but ... close enough.
Au contraire. There's a point about that. RCODE NOERROR with ANSWER: 0 means there are _other_ RRs for that FQDN, and this is subtly different from RCODE 'NXDOMAIN'[1], as explained on this useful page, one I found just today while trying to finally learn the difference: http://prefetch.net/blog/index.php/2016/09/28/the-subtleties-between-the-nxd...
So what does NOERROR with an ANSWER of 0 actually represent? It means one or more resource records exist for this domain but there isn't a record matching the resource record type (A, AAAA, MX, etc.). This was a useful clarification for me and helped me isolate and fix the issue I was debugging. Sometimes the devil is in the details.
Worth reading.
Thanks, a good - and reasonably brief - read that: http://prefetch.net/blog/index.php/2016/09/28/the-subtleties-between-the-nxd... that you referenced. :-)
And indeed, is wee bit more CHAOS data out there: $ (for d in version.bind hostname.bind server-id.bind id.server bind. server.; do dig +noall +answer +norecurse @ns1.balug.org. "$d" ANY CHAOS; done) | sort -u hostname.bind. 0 CH NS hostname.bind. hostname.bind. 86400 CH SOA hostname.bind. hostmaster.hostname.bind. 0 28800 7200 604800 86400 id.server. 0 CH NS id.server. id.server. 86400 CH SOA id.server. hostmaster.id.server. 0 28800 7200 604800 86400 version.bind. 0 CH NS version.bind. version.bind. 86400 CH SOA version.bind. hostmaster.version.bind. 0 28800 7200 604800 86400 $
So ... maybe I check further in future if there's reasonable way to cleanly disable all that ... but not high on the task/priority list at present - it's at least "good enough for now". My "todo" list is only 5,848 lines long ... and I'm sure I've forgotten to include many items and details.
From: "Rick Moen" rick@linuxmafia.com Subject: Re: [BALUG-Talk] [BALUG-Admin] balug.org DNS review ... CHAOS ; -> ... Date: Wed, 27 Sep 2017 22:36:16 -0700
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
$ dig +noall +answer +norecurse +comments @ns1.balug.org. version.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49907 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. hostname.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27923 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. id.server TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43870 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ Hmmmm... I might've expected NXDOMAIN ... but ... close enough.
Au contraire. There's a point about that. RCODE NOERROR with ANSWER: 0 means there are _other_ RRs for that FQDN, and this is subtly different from RCODE 'NXDOMAIN'[1], as explained on this useful page, one I found just today while trying to finally learn the difference: http://prefetch.net/blog/index.php/2016/09/28/the-subtleties-between-the-nxd...
So what does NOERROR with an ANSWER of 0 actually represent? It means one or more resource records exist for this domain but there isn't a record matching the resource record type (A, AAAA, MX, etc.). This was a useful clarification for me and helped me isolate and fix the issue I was debugging. Sometimes the devil is in the details.
Worth reading.
Thanks, a good - and reasonably brief - read that: http://prefetch.net/blog/index.php/2016/09/28/the-subtleties-between-the-nxd... that you referenced. :-)
And indeed, is wee bit more CHAOS data out there: $ (for d in version.bind hostname.bind server-id.bind id.server bind. server.; do dig +noall +answer +norecurse @ns1.balug.org. "$d" ANY CHAOS; done) | sort -u hostname.bind. 0 CH NS hostname.bind. hostname.bind. 86400 CH SOA hostname.bind. hostmaster.hostname.bind. 0 28800 7200 604800 86400 id.server. 0 CH NS id.server. id.server. 86400 CH SOA id.server. hostmaster.id.server. 0 28800 7200 604800 86400 version.bind. 0 CH NS version.bind. version.bind. 86400 CH SOA version.bind. hostmaster.version.bind. 0 28800 7200 604800 86400 $
So ... maybe I check further in future if there's reasonable way to cleanly disable all that ... but not high on the task/priority list at present - it's at least "good enough for now". My "todo" list is only 5,848 lines long ... and I'm sure I've forgotten to include many items and details.
From: "Rick Moen" rick@linuxmafia.com Subject: Re: [BALUG-Talk] [BALUG-Admin] balug.org DNS review ... CHAOS ; -> ... Date: Wed, 27 Sep 2017 22:36:16 -0700
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
$ dig +noall +answer +norecurse +comments @ns1.balug.org. version.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49907 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. hostname.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27923 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. id.server TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43870 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ Hmmmm... I might've expected NXDOMAIN ... but ... close enough.
Au contraire. There's a point about that. RCODE NOERROR with ANSWER: 0 means there are _other_ RRs for that FQDN, and this is subtly different from RCODE 'NXDOMAIN'[1], as explained on this useful page, one I found just today while trying to finally learn the difference: http://prefetch.net/blog/index.php/2016/09/28/the-subtleties-between-the-nxd...
So what does NOERROR with an ANSWER of 0 actually represent? It means one or more resource records exist for this domain but there isn't a record matching the resource record type (A, AAAA, MX, etc.). This was a useful clarification for me and helped me isolate and fix the issue I was debugging. Sometimes the devil is in the details.
Worth reading.
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
So ... maybe I check further in future if there's reasonable way to cleanly disable all that ... but not high on the task/priority list at present - it's at least "good enough for now".
I still like my 'Shirley, you're joking' solution -- copied from something similar that Aaron T. Porter does.
FWIW, I do _not_ see the logic in returning 'none' (or null) on a CHAOS request for hostname. I mean, it's the hostname. You already have a positive incentive for stating what that is, so I regard it as an actual Good Thing.
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Yea departing DreamHost.com!!! (A.k.a. nightmare host <sigh>).
It's funny how they tempt the Irony Fairy.
[add'l auth nameservers:]
Or, ... even not bother a friend and ... There are some free/complementary DNS slave services out there for the taking by any and/or all ... most of 'em suck (perhaps some exceptions?)
Either of the options you discussed seem pretty reasonable. As to the he.net quirk of needing to provide authority before they provide service, I've noticed that the practical effect on a domain of one or two auth nameservers doing RCODE SERVFAIL for a while is not serious.
As for DNS server identifying its software/version ... what [il]legitimate uses for that?
Legitimate uses the CHAOSnet _hostname_ (or server_id) RR I've heard of involve edge cases with multiple auth nameservers behind a load balancer. Publishing that RR lets you more quickly determine which nameserver is giving you problems in some scenarios.
Legitimate use of the CHAOSnet _version_ RR? Never heard of one. Use your imagination, and maybe you can contrive some scenario where there's legitimate, beneficial use for programmatically determining what nameserver/version a query is being answered from.
In fairness, the software/version of a nameserver can probably also be determined pretty well by probing it with DNS fingerprinting methods, such as using the fpdns utility. https://github.com/kirei/fpdns But the same can be said of other public-facing daemons, such as httpds -- yet I would rather not make it easy for the bad guys, so I make mine say as little as possible about its software/version/configuration. Same logic.
Is it entirely (or mostly) unique to BIND?
No. BIND merely had the reference implementation. CHAOSnet (originally invented for completely different purposes involving coax connections among LISP machines in the 1970s) is just one of many, mostly very obscure, DNS class types that are in theory all valid for any and all nameservers. The CH class identity is just an IANA-assigned encoded 16-bit value sent along with RRs. We think of class 'IN' (Internet) as the regular and default class, but to nameserver sofware that's just a two-byte binary-encoded value. Once in a blue moon, you might come across the Hesiod class (HS) from Project Athena (http://en.wikipedia.org/wiki/Hesiod_(name_service) ).
RFC2929 says:
Dec Hex Description 0 0x0000 Assignment requires an IETF Standards Action. 1 0x0001 Internet (IN) 2 0x0002 Available for assignment by IETF Consensus as a data CLASS. 3 0x0003 Chaos (CH) 4 0x0004 Hesiod (HS) 5-127 0x0005-0x007F Available for assignment by IETF Consensus as data CLASSes only. 128-253 0x0080-0x00FD Available for assignment by IETF Consensus as QCLASSes only. 254 0x00FE QCLASS None 255 0x00FF QCLASS Any 256-32767 0x0100-0x7FFF Assigned by IETF Consensus. 32768-65280 0x8000-0xFEFF Assigned based on Specification Required as defined in RFC 2434 65280-65534 0xFF00-0xFFFE Private Use. 65535 0xFFFF Can only be assigned by an IETF Standards Action.
Those are all valid DNS class values. In theory, IETF could roll out any of them in accordance with its bureaucratic process. In practice, IN, CH, and HS are the limit for now. Probably, any nameserver can handle them, but I am not going to go around setting up Hesiod in order to try (let alone a bunch of LISP machines on antique coax networking). ;->
Disclaimer: Specifically, I haven't checked _every_ auth nameserver package to see if they default to certain CHAOS class 'hostname' and 'version' values the way BIND9 does. NSD does. Unbound does. The PowerDNS suite does. djbdns does. MaraDNS does (IIRC). I don't know about the others.
On Wed, Sep 27, 2017 at 10:30 PM, Rick Moen rick@linuxmafia.com wrote:
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Yea departing DreamHost.com!!! (A.k.a. nightmare host <sigh>).
It's funny how they tempt the Irony Fairy.
Even funnier is how they manage to stay in business given their terrible service.
-th
Quoting Todd Hawley (celticdm@gmail.com):
Even funnier is how they manage to stay in business given their terrible service.
I suspect it's a familiar unhealthy market dynamic, driven by customers no understanding nearly enough about (some) products/services they buy: Basically, if you don't understand a product/service category, you seek bottom dollar because that's the only part you do fully grasp. And, over the long-term, that leads to overall quality decline in said market.
IIRC, the firm we're talking about is one of the price-leading ones, though I won't swear to that as I don't do that sort of shopping. Anyway, about the market dynamic I have in mind:
http://linuxmafia.com/~rick/lexicon.html#moenslaw-bicycles
(Counter-example to Moen's Law of Bicycles: the market for 35mm cameras, _because_ it's dominated by very knowledgeable, engaged customers.)
On Thu, Sep 28, 2017 at 1:01 PM, Rick Moen rick@linuxmafia.com wrote:
Quoting Todd Hawley (celticdm@gmail.com):
Even funnier is how they manage to stay in business given their terrible service.
I suspect it's a familiar unhealthy market dynamic, driven by customers no understanding nearly enough about (some) products/services they buy: Basically, if you don't understand a product/service category, you seek bottom dollar because that's the only part you do fully grasp. And, over the long-term, that leads to overall quality decline in said market.
Good point and most times that would be true. However, I've run into a couple folk who have more than one site hosted there and move other sites there "because they provide good service." In other words, they provide better service to users who have multiple accounts there than to those who only have one. Although it's been years since I've seen these folk so I have no idea if they still have their sites hosted there.
-th
Quoting Todd Hawley (celticdm@gmail.com):
Good point and most times that would be true. However, I've run into a couple folk who have more than one site hosted there and move other sites there "because they provide good service." In other words, they provide better service to users who have multiple accounts there than to those who only have one.
Very plausible. And/or those other users may have bought a higher grade of service costing more money.
Also, to be fair, a number of major hosting service such as Bluehost (don't know wbout Dreamhost) based their reputations on specifically hosting of Wordpress Web sites on shared hosts -- with other services like SMTP / mailing lists being (in the opinion of outside commenters) afterthoughts that are poorly run.
This would be consistent with what most modern Internet-hosting customers mean when they say 'site'.
Worpress is a vast and security-problematic blogging (etc.) engine written in the security-problematic PHP language, so there's quite a market niche describable as 'company that takes care of innumerable security meltdowns and other nuisances so you can use a cruddy Web app without devoting your life to it'. If a customer sees that as the most important thing a hosting company can do, then from that perspective a company whose SMTP / mailing list operations suck rocks might be utterly excellent.
I'm honestly _not_ trying to mock that viewpoint. I merely don't happen to share it.
On Thu, Sep 28, 2017 at 10:48 PM, Rick Moen rick@linuxmafia.com wrote:
Quoting Todd Hawley (celticdm@gmail.com):
Good point and most times that would be true. However, I've run into a couple folk who have more than one site hosted there and move other sites there "because they provide good service." In other words, they provide better service to users who have multiple accounts there than to those who only have one.
Very plausible. And/or those other users may have bought a higher grade of service costing more money.
Not sure if DH offers that but who knows.
Also, to be fair, a number of major hosting service such as Bluehost (don't know wbout Dreamhost) based their reputations on specifically hosting of Wordpress Web sites on shared hosts -- with other services like SMTP / mailing lists being (in the opinion of outside commenters) afterthoughts that are poorly run.
I used to maintain a site that ran WordPress, we migrated it to DH and they insisted they could only run WP if our URL included the Dreamhost name in the URL. It made for a very clunky and LONG URL to say the least. So yeah DH will run a WP site but only (at least at the time) if you gave "free advertising" to DH in the form of an extra long URL.
This would be consistent with what most modern Internet-hosting customers mean when they say 'site'.
Worpress is a vast and security-problematic blogging (etc.) engine written in the security-problematic PHP language, so there's quite a market niche describable as 'company that takes care of innumerable security meltdowns and other nuisances so you can use a cruddy Web app without devoting your life to it'. If a customer sees that as the most important thing a hosting company can do, then from that perspective a company whose SMTP / mailing list operations suck rocks might be utterly excellent.
Aha! I wondered why WP had so many security issues. Although from what I'd heard PHP was a nice scripting language and easy to learn. I had no idea it was prone to security issues.
-th
Quoting Todd Hawley (celticdm@gmail.com):
I used to maintain a site that ran WordPress, we migrated it to DH and they insisted they could only run WP if our URL included the Dreamhost name in the URL.
How funny.
Aha! I wondered why WP had so many security issues. Although from what I'd heard PHP was a nice scripting language and easy to learn. I had no idea it was prone to security issues.
Just for fun, here's a cranky rant giving a full rundown on the problems with PHP: https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
I suspect it's difficult verging on impossible to write good and reasonably secure public-facing PHP code if it does anything significant. In any event, for whatever reason, there are continual, repeating security breakdowns in WordPress itself. Troublingly, these tend to keep occurring over and over in the same areas, suggesting that there are deep architectural flaws that give rise to the recurring implementation flaws, i.e., the underlying problems don't ever get truly fixed, only this week's manifestation of the problem.
If you've been around software for a while, you learn to recognise that pattern. Fixed, this time for sure! Oh darn, here's another one that's technically different, and we've fixed that. Wait, here's another one and a fix for it....
I'm personally sympatico with security expert Marcus J. Ranum's take on this: If signs suggest that code is fundamentally not very good, then the only reasonable remedy is to avoid running it, rather than continually applying the patch du jour, from now unto eternity. Here's one of his several rants about that:
http://www.ranum.com/security/computer_security/editorials/master-tzu/
It's also idea #3 on his list of the Six Dumbest Ideas in Computer Security: http://www.ranum.com/security/computer_security/editorials/dumb/
There's some keen thinking behind Ranum's views. On a separate page, http://www.ranum.com/editorials/must-read/ , Ranum singles out Nobel Prize-winning physicist Richard Feynman's insight in his much-praised separate 'Personal observations on the reliability of the Shuttle' report, Feynman wrote as a member of the Rogers Commission investigating the Challenger disaster:
In "Observations", Feynman is careful to point out, in his discussion of "safety margin", that, if hot gasses are not _designed_ to jet past and damage an O-ring, then there is no such thing as a "safe" flight in which that happens _to any degree_. You could take "Observations" and staple a post-it note to the front of it reading, "...and if the design doesn't say that heat resistant tiles are _supposed_ to fall off, then there is no 'safety margin' that justifies flying the shuttle if they do."
I have unashamedly paraphrased Feynman over and over again in the last few years, with respect to computer security: "If the design of your operating doesn't _say_ that it's _supposed to be hack-able_, then it shouldn't be and it's not safe for use in an environment where there are hackers." I wish I could boil that down to a Feynman-esque quip, or a Sun Tzu-style phrase - but it is no embarrassment for any man to admit that they aren't in that league of thinkers.
For context, as Feynman recounts, NASA administrators had written off the space shuttle's continual shedding of heat-shielding tiles as an acceptable risk (the estimated risk going down as one ascended the management foodchain), despite the fact that (to pick one example among several), according to the shuttle's engineering design, no tiles were supposed to fall off at all.
By analogy, the recurring security problems in both PHP and Wordpress are of the sort that make you ask 'Why are these happening at all, and why do they keep happening in the same areas?' The natural suspicion is thus that there are fundamental, deep flaws that aren't ever getting fixed, just the cracks spackled over.
Ranum's so impressed by the profundity of Feynman's observations that he mirrors a copy, here: http://www.ranum.com/security/computer_security/editorials/dumb/feynman.html
On Fri, Sep 29, 2017 at 9:11 AM, Rick Moen rick@linuxmafia.com wrote:
Quoting Todd Hawley (celticdm@gmail.com):
I used to maintain a site that ran WordPress, we migrated it to DH and
they
insisted they could only run WP if our URL included the Dreamhost name in the URL.
How funny.
Yes. Looking back, I highly suspect they didn't want to have to do the
work involved in setting up WP for the site and then said, "Oh. You want this? Well then you have to do this for us." Free advertising for them. What a concept. <sigh> Why didn't I realize this at the time? Ah well.
Aha! I wondered why WP had so many security issues. Although from what
I'd heard PHP was a nice scripting language and easy to learn. I had no
idea
it was prone to security issues.
Just for fun, here's a cranky rant giving a full rundown on the problems with PHP: https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
Interesting piece.
I suspect it's difficult verging on impossible to write good and
reasonably secure public-facing PHP code if it does anything significant. In any event, for whatever reason, there are continual, repeating security breakdowns in WordPress itself. Troublingly, these tend to keep occurring over and over in the same areas, suggesting that there are deep architectural flaws that give rise to the recurring implementation flaws, i.e., the underlying problems don't ever get truly fixed, only this week's manifestation of the problem.
If you've been around software for a while, you learn to recognise that pattern. Fixed, this time for sure! Oh darn, here's another one that's technically different, and we've fixed that. Wait, here's another one and a fix for it....
Or you have programming teams on tight deadlines who aren't allowed time to fix a fundamental problem. Instead, they're told to find a patch for a bug and then "when time allows," they'll go back and fix the fundamental problem. Which of course never happens. Or they say, "that's not a bug, that's a new feature." :p
-th
Quoting Todd Hawley (celticdm@gmail.com):
Or you have programming teams on tight deadlines who aren't allowed time to fix a fundamental problem. Instead, they're told to find a patch for a bug and then "when time allows," they'll go back and fix the fundamental problem. Which of course never happens. Or they say, "that's not a bug, that's a new feature." :p
Here's a very funny rant about that, for you, almost too true for humour:: https://www.stilldrinking.org/programming-sucks
Excerpt:
All programming teams are constructed by and of crazy people
Imagine joining an engineering team. You’re excited and full of ideas, probably just out of school and a world of clean, beautiful designs, awe-inspiring in their aesthetic unity of purpose, economy, and strength. You start by meeting Mary, project leader for a bridge in a major metropolitan area. Mary introduces you to Fred, after you get through the fifteen security checks installed by Dave because Dave had his sweater stolen off his desk once and Never Again. Fred only works with wood, so you ask why he’s involved because this bridge is supposed to allow rush-hour traffic full of cars full of mortal humans to cross a 200-foot drop over rapids. Don’t worry, says Mary, Fred’s going to handle the walkways. What walkways? Well Fred made a good case for walkways and they’re going to add to the bridge’s appeal. Of course, they’ll have to be built without railings, because there’s a strict no railings rule enforced by Phil, who’s not an engineer. Nobody’s sure what Phil does, but it’s definitely full of synergy and has to do with upper management, whom none of the engineers want to deal with so they just let Phil do what he wants. Sara, meanwhile, has found several hemorrhaging-edge paving techniques, and worked them all into the bridge design, so you’ll have to build around each one as the bridge progresses, since each one means different underlying support and safety concerns. Tom and Harry have been working together for years, but have an ongoing feud over whether to use metric or imperial measurements, and it’s become a case of “whoever got to that part of the design first.” This has been such a headache for the people actually screwing things together, they’ve given up and just forced, hammered, or welded their way through the day with whatever parts were handy. Also, the bridge was designed as a suspension bridge, but nobody actually knew how to build a suspension bridge, so they got halfway through it and then just added extra support columns to keep the thing standing, but they left the suspension cables because they’re still sort of holding up parts of the bridge. Nobody knows which parts, but everybody’s pretty sure they’re important parts. After the introductions are made, you are invited to come up with some new ideas, but you don’t have any because you’re a propulsion engineer and don’t know anything about bridges.
Would you drive across this bridge? No. If it somehow got built, everybody involved would be executed. Yet some version of this dynamic wrote every single program you have ever used, banking software, websites, and a ubiquitously used program that was supposed to protect information on the Internet but didn’t.
Wall of text is in the original. (The copy-editor in me keeps wanting to trisect that paragraph.)
On Sun, Oct 1, 2017 at 7:32 PM, Rick Moen rick@linuxmafia.com wrote:
Quoting Todd Hawley (celticdm@gmail.com):
Or you have programming teams on tight deadlines who aren't allowed time to fix a fundamental problem. Instead, they're told to find a patch for a bug and then "when time allows," they'll go back and fix the fundamental problem. Which of course never happens. Or they say, "that's not a bug, that's a new feature." :p
Here's a very funny rant about that, for you, almost too true for humour:: https://www.stilldrinking.org/programming-sucks
Yep that rant pretty much sums it up doesn't it?
-th
Quoting Todd Hawley (celticdm@gmail.com):
Yep that rant pretty much sums it up doesn't it?
And in an _institutional_ setting, that syndrome is difficult to avoid when it happens (except by seeking employment elsewhere). In our own computing lives, we can rather often reduce the madness by just saying 'no'. I've been having an ongoing conversation with Michael Paoli (lately, on the balug-admin list) about places to reduce needless complexity with BALUG's server setup, and also in my own server setup, for example. There's a lot that can be done, and most of it's low-hanging fruit.
Way back around 1997, I'd been considering typical & recurring security threats to the Red Hat Linux installation I was then running, and decided one day that U. of Washington in.pop3d could no longer be justified. It exposed passwords in plaintext across the Internet, for starters. I considered installing an IMAP daemon (Dovecot didn't yet exist), but for various reasons I don't quite recall didn't, and decided to make my life simpler by just running _no_ Mail Delivery Agent daemons. I got in contact with my users, and said, you can either use one of linuxmafia.com's console-mode local mail programs (mutt, pine, elm, etc.) or, if you insist on fetching your mail to some desktop machine, just use rsync over ssh to do so.
One of my users just could not abide that. She loved her Eudora and didn't want to change her way of fetching mail. I said, sorry you're unhappy, but my system, my rules. She left, which is fine if she'd rather deal with Yahoo Mail (which she does to this day).
To sum: On your own system, you aren't obliged to make dumb software choices (bad code, bad network protocols, etc.) just because they're popular. So, IMO, why not make the most of that freedom?