Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

• Previous message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Next message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 05, 2015 at 02:39:18AM +1000, Mark Andrews wrote:
> 
> In message <9C2ACA5A-755D-4FCF-8491-745A1F9111BA at puck.nether.net>, Jared Mauch writes:
> > I recommend using DNSDIST to balance traffic at a protocol level as you can h=
> > ave implementation diversity on the backside.=20
> > 
> > I can send an example config out later for people. You can balance to bind N=
> > SD and others all at the same time :-) just move your SPoF
> > 
> > Jared Mauch
> 
> Unless the same client hits the same server all the time this is a
> bad idea.

	Software that can't handle the remote side having a
upgrade/downgrade/capability change is broken.

> Resolvers actually track capabilities of servers as it is the only
> way to get answers due to firewalls dropping legitimate packet and
> protocol misimplementations.  Add to that different vendors /
> versions supporting different extensions randomly flipping between
> vendors / versions is frought with danger unless you take extreme
> care.

	I've come to use DNSDist to workaround the problems
that BIND has with outstanding queries which don't get a response.

	You might be surprised how poorly BIND performs if you
use something else to take a look at it from the exterior.

	http://puck.nether.net/~jared/dnsdist.png

	The first two are BIND the 3rd is not and the 4th is BIND.

	The last 3 get the same types of queries, notice how BIND
drops lots of queries.  I don't have time to report all the DNS related
issues on bind-users/dev but you may find it helpful to use a tool
like this to at least identify what is going on.

	The last 3 servers get only domains like arpa and a few well
known domains, eg: gmail.

	- Jared

> > > On Aug 4, 2015, at 10:03 AM, Jay Ashworth <jra at baylink.com> wrote:
> > >
> > > Everyone got BIND updated?
> > >
> > >
> > http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c
> > ould-hamstring-huge-swaths-of-internet/
> > > --
> > > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

• Previous message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Next message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]