Posts by admin.

Episode 30

In this latest episode of our evidently-now-quarterly podcast, Matt and Cricket answer Donald Rudder’s question about how common the A6 record is and its effect on DNSSEC.  Then they discuss the upcoming change of d.root-servers.net’s IPv4 address and the implications of that change.  And despite having only one question to answer, they manage to take up the usual 30 minutes!

Episode 29

In this episode, Matt and Cricket finally throw in the towel and give up on promising podcasts on any regular schedule.  But they do manage to clear Mr. DNS’s mailbag, answering questions from Ismael Lezcano about the availability of good programming APIs for working with DNS and why BIND doesn’t have a good mechanism for creating and deleting zones dynamically; and from William Brown  about how to induce major registrars to support DNSSEC.

Episode 28

In this (much delayed) episode, Matt and Cricket discuss the folly of trying to hew to a podcast-publishing schedule, and answer (or avoid) questions from Sevan Janiyan and Yiorgos Adamopoulos on what operating systems and software the root name servers run; from Kent Shuey on why a device that implements only part of the DNS specs seems to work okay on his network; and from Todd Larsen (apparently of Danish descent) on where he can go to meet like-minded souls discussing current issues with DNS and DNSSEC (God help him) and whether DANE’s TLSA record can coexist with a CNAME record.

Episode 27

In this episode, Matt and Cricket answer Alan Frabutt’s question about the existence of recursive name servers that don’t honor TTLs – the “yeti” of recursive name servers – and Joe Conlin’s question about the right way to deal with abuse of your name server, and try to assist Louis Sterchi in his quest to learn more about DNS, registries and registrars.  And this last leads them on a trip down the Internet’s memory lane, reminiscing about the old days of DNS, before registries and registrars, back when subdomains of com, net and org were free.

Episode 26

In this (recorded-just-before) Christmas episode, Matt and Cricket discuss the occupational hazards of church organists during the holidays, and then answer Ed Horley’s question about DNS64’s effect on DNSSEC, David Dunleap’s question about a special DNS setup that might be due to the use of load balancing, and Victor Tran’s question about whether he needs to sign all of his name server’s zones at once.  In the mean time, they reminisce over ancient and obscure methods of compressing and encoding files, and both react with dismay to the memory of driving in Cambridge, Massachusetts.

Episode 25

In this episode, Matt and Cricket attempt to answer all nine of Jorge Fábregas’s “couple of questions” in a lightning round.  Then they swap war stories about all the travel they’ve been doing and have yet to do (implicitly offering excuses for the long gap between episodes), and finally – and inevitably – discuss Neal Stephenson’s new book, REAMDE.

On allowing ICMP to authoritative name servers

After hearing our answer in Episode 24 to Jorge Fábregas’s question about whether to allow ICMP messages to authoritative name servers, David Dagon submitted this insightful response:

On episode 24 of your “The Ask Mr. DNS Podcast”, you answered a question by Jorge Fábregas about whether to allow ICMP messages to an authoritative server.

Your answer (to allow ICMP) noted the convenience of ICMP and its utility in diagnosing server errors.  I would like to offer another rationale for allowing ICMP messages destined for authority servers.

If an attacker is attempting to poison your zone in a third party’s recursive (e.g., by spoofing your source address in  answer to an induced glue request), your authority will see ICMP blowback from the victim recursive for incorrect QID and/or SPORT guesses.  I.e., forged packets destined for closed UDP ports will result in ICMP(3,3) message from the victim recursive.

Informally, the authority hears distant echos of any brute force attack on a recursive.  Since ICMP messages typically contain the IP header and first 8 bytes of the offending UDP datagram, this is just enough payload to include the QID.  (Some OS even include more octets of the blocked datagram, permitting inspection of the QNAME).

Thus, one can monitor an authority for high volumes of ICMP messages, and infer the possible poisoning attempt on a 3d party recursive. Confirmation of the nature of the attack comes from the QID diversity (which may suggest a poisoning attack).  Of course, there still exists the possibility that even the ICMP messages were spoofed.  But if the 3d party victim is open recursive, one could even inspect the victim’s cache, iteratively asking for records in your zone, to confirm the success of the attack.

While brute-force DNS poisoning is (thankfully) rare in the post-Kaminsky world, and of concern only for high-value sites, there are still some episodes of cache poisoning.  This is yet another reason to allow ICMP traffic to authority servers.

Sadly, we didn’t think of this, but it’s an excellent reason to allow ICMP to your authoritative name servers.  And once again, we’re gratified and humbled to have such incisive listeners.

If you’re interested in reading more from David, we highly recommend a paper he coauthored, Corrupted Resolution Paths: The Rise of a Malicious Resolution Authority, about open recursive name servers that return deliberately incorrect answers.  Very scary.

Episode 24

In this episode, Matt (having dodged Hurricane Irene) and Cricket (having recently returned from South America) grovel and scrape after a nearly-three-month hiatus, then answer questions from Jorge Fábregas about whether to allow ICMP to authoritative name servers; from Donnie Carvajal about how to resolve a private, internal domain name; and from Leo Vandewoestijne about mismatched NS RRsets.  Along the way, they learn a nice trick from Leo about how to convey proper pronunciation to fellow Mac owners, lament their inability to pronounce their own surnames correctly, and probably cause Olafur Gudmundsson to spit coffee all over his laptop.

Meet Matt and Me Live at FOSE 2011

If you’ve ever wanted to meet the men behind the mics, Matt and I will be speaking on a panel on DNSSEC at this year’s FOSE conference in Washington, D.C., from July 19th to 21st.  (We’re not speaking for three days, but the show runs that long.  We’re only speaking on Tuesday at 3:15.)

The other guys on the panel are no slouches, either:  Nate Meyer from F5 and Alan Clegg from ISC.

The folks who run FOSE have graciously offered to extend a 20% discount to our listeners, too.  For details, click here.

Episode 23

In this star-studded episode, taped at Dyn Inc.‘s second annual “Inside Baseball” event, Matt and Cricket are joined by a “who’s who” of DNS luminaries.  They answer questions from Bob Harold (who previously received a tee shirt and does not want another) about whether CNAME records terminate a subtree of the namespace, from Warren Kumari about why a domain name that owns a CNAME record can’t own any other record types, from Wayne Ketterer about how to set up DNS so that a given domain name maps to one address internally and another externally, and from Canadian Todd about whether adding glue AAAA records is a good idea.  Then the collected luminaries throw a few “stump the chump”-style questions at Matt and Cricket – a little like shooting fish in a barrel. Tune in to see how well they fare.

Note that the audio isn’t quite up to even our low standards, despite the best efforts of Matt and Tom Daly of Dyn to smuggle decent recording equipment across state lines, but it’s certainly listenable.

PlayPlay