Latest posts.

Episode 25

In this episode, Matt and Cricket attempt to answer all nine of Jorge Fábregas’s “couple of questions” in a lightning round.  Then they swap war stories about all the travel they’ve been doing and have yet to do (implicitly offering excuses for the long gap between episodes), and finally – and inevitably – discuss Neal Stephenson’s new book, REAMDE.

On allowing ICMP to authoritative name servers

After hearing our answer in Episode 24 to Jorge Fábregas’s question about whether to allow ICMP messages to authoritative name servers, David Dagon submitted this insightful response:

On episode 24 of your “The Ask Mr. DNS Podcast”, you answered a question by Jorge Fábregas about whether to allow ICMP messages to an authoritative server.

Your answer (to allow ICMP) noted the convenience of ICMP and its utility in diagnosing server errors.  I would like to offer another rationale for allowing ICMP messages destined for authority servers.

If an attacker is attempting to poison your zone in a third party’s recursive (e.g., by spoofing your source address in  answer to an induced glue request), your authority will see ICMP blowback from the victim recursive for incorrect QID and/or SPORT guesses.  I.e., forged packets destined for closed UDP ports will result in ICMP(3,3) message from the victim recursive.

Informally, the authority hears distant echos of any brute force attack on a recursive.  Since ICMP messages typically contain the IP header and first 8 bytes of the offending UDP datagram, this is just enough payload to include the QID.  (Some OS even include more octets of the blocked datagram, permitting inspection of the QNAME).

Thus, one can monitor an authority for high volumes of ICMP messages, and infer the possible poisoning attempt on a 3d party recursive. Confirmation of the nature of the attack comes from the QID diversity (which may suggest a poisoning attack).  Of course, there still exists the possibility that even the ICMP messages were spoofed.  But if the 3d party victim is open recursive, one could even inspect the victim’s cache, iteratively asking for records in your zone, to confirm the success of the attack.

While brute-force DNS poisoning is (thankfully) rare in the post-Kaminsky world, and of concern only for high-value sites, there are still some episodes of cache poisoning.  This is yet another reason to allow ICMP traffic to authority servers.

Sadly, we didn’t think of this, but it’s an excellent reason to allow ICMP to your authoritative name servers.  And once again, we’re gratified and humbled to have such incisive listeners.

If you’re interested in reading more from David, we highly recommend a paper he coauthored, Corrupted Resolution Paths: The Rise of a Malicious Resolution Authority, about open recursive name servers that return deliberately incorrect answers.  Very scary.

Episode 24

In this episode, Matt (having dodged Hurricane Irene) and Cricket (having recently returned from South America) grovel and scrape after a nearly-three-month hiatus, then answer questions from Jorge Fábregas about whether to allow ICMP to authoritative name servers; from Donnie Carvajal about how to resolve a private, internal domain name; and from Leo Vandewoestijne about mismatched NS RRsets.  Along the way, they learn a nice trick from Leo about how to convey proper pronunciation to fellow Mac owners, lament their inability to pronounce their own surnames correctly, and probably cause Olafur Gudmundsson to spit coffee all over his laptop.

Meet Matt and Me Live at FOSE 2011

If you’ve ever wanted to meet the men behind the mics, Matt and I will be speaking on a panel on DNSSEC at this year’s FOSE conference in Washington, D.C., from July 19th to 21st.  (We’re not speaking for three days, but the show runs that long.  We’re only speaking on Tuesday at 3:15.)

The other guys on the panel are no slouches, either:  Nate Meyer from F5 and Alan Clegg from ISC.

The folks who run FOSE have graciously offered to extend a 20% discount to our listeners, too.  For details, click here.

Episode 23

In this star-studded episode, taped at Dyn Inc.‘s second annual “Inside Baseball” event, Matt and Cricket are joined by a “who’s who” of DNS luminaries.  They answer questions from Bob Harold (who previously received a tee shirt and does not want another) about whether CNAME records terminate a subtree of the namespace, from Warren Kumari about why a domain name that owns a CNAME record can’t own any other record types, from Wayne Ketterer about how to set up DNS so that a given domain name maps to one address internally and another externally, and from Canadian Todd about whether adding glue AAAA records is a good idea.  Then the collected luminaries throw a few “stump the chump”-style questions at Matt and Cricket – a little like shooting fish in a barrel. Tune in to see how well they fare.

Note that the audio isn’t quite up to even our low standards, despite the best efforts of Matt and Tom Daly of Dyn to smuggle decent recording equipment across state lines, but it’s certainly listenable.

PlayPlay

Episode 22

After a respite carefully timed to avoid the Ides of March, Matt and Cricket answer Brian Mazzocco’s question about the meaning of strange, possibly European symbols in zone data files; address John Shin’s question about how validating, recursive name servers handle aliases from signed zones to unsigned zones; and assess Gavin Brown’s suggestion for automatically bootstrapping DS records from a signed child zone into its parent.

Episode 21

In this mercifully digression-free episode – perhaps not coincidentally taped in-person in Cricket’s office in Santa Clara – Matt and Cricket answer Josh Baverstock’s umpteenth question, this one about storing certificates in DNS, as well as Dirck Copeland’s and Bob Harold’s related questions about bad delegations.  Josh, Dirck and Bob will each receive a handsome black Practice Safe DNS tee shirt courtesy the Public Interest Registry.  If we’ve got the right sizes, that is.

Episode 20

In this episode, Matt and Cricket answer Dana S’s question (submitted from Kurdistan!) about the wisdom (or folly) of implementing an OpenDNS-like system using multiple views, as well as Alex Wilkinson’s questions about what all those SRV records that Domain Controllers register are for and whether BIND name servers can serve them, and which tools they recommend for troubleshooting DNS problems.  Along the way, they plug several web-based troubleshooting tools, including VeriSign’s http://www.dnssec-debugger.com/, Casey Deccio’s http://www.dnsviz.net/ and Infoblox’s http://www.dnsadvisor.com/.

But most importantly, they extend an offer of a free black tee shirt (and you can’t have enough of those!) to anyone submitting a question to Mr. DNS that’s answered on a forthcoming podcast!  And if that’s not enough, listeners can also hear Matt best Cricket’s knowledge of Bay Area trivia with an obscure fact about the Westin St. Francis.

Episode 19

In this episode, Matt and Cricket beseech their legion of listeners to submit more questions, then turn Jeremy Laidman’s question about conditionally forwarding a subzone into an exhaustive (and somewhat exhausting) discussion of the history of BIND and conditional forwarding, and how to use conditional forwarding to build robust name resolution architectures.  Then they address Jesus Cea’s question about how to goad his provider of secondary name service into supporting DNSSEC.  In the process, they digress into the influence of “Top Gear” on impressionable youth, somewhat impractical advice on how HP could improve route aggregation through strategic acquisitions, and a comparison of various syndicated advice columnists.

Episode 18

In this podcast, Matt and Cricket answer Leen Besselink’s question about the viability of Dan Kaminsky’s proposed use of a clever DNSCurve concept in DNSSEC, and Matt offers his high opinion of the Dutch people (surely risking retribution by his Swedish countrymen).  Then they turn to Josh Baverstock’s question about why the LOC record failed to catch on, despite its obvious utility to cruise missiles with stub resolvers.  Finally, in yet another of their “Why, back in my day…” sessions, they lament the loss of summer vacations that lasted through Labor Day.