From strenholme.usenet at gmail.com Wed Jul 9 08:26:27 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Wed, 9 Jul 2008 07:26:27 -0500 Subject: MaraDNS is immune to the new cache poisoning attack Message-ID: <7bd685720807090526s2159c734na317580147e205e4@mail.gmail.com> MaraDNS is immune to the new cache poisoning attack. MaraDNS has always been immune to this attack. Ditto with Deadwood (indeed, people can use MaraDNS or Deadwood on the loopback interface to protect their machines from this attack). OK, basically, this is an old problem DJB wrote about well over seven years ago. The solution is to randomize both the query ID and the source port; MaraDNS/Deadwood do this (and have been doing this since around the time of their first public releases that could resolve DNS queries) using a cryptographically strong random number generator (MaraDNS uses an AES variant; Deadwood uses the 32-bit version of Radio Gatun). - Sam From 7v5w7go9ub0o at gmail.com Thu Jul 10 14:33:58 2008 From: 7v5w7go9ub0o at gmail.com (7v5w7go9ub0o) Date: Thu, 10 Jul 2008 14:33:58 -0400 Subject: DNS poisoning test page (not Kaminsky's) Message-ID: <48765616.3030507@gmail.com> While trying to understand the Kaminsky discovery, I came across this page and seem to fail the test. http://ketil.froyn.name/poison.html What am I doing wrong, please (using maradns) TIA From remco at webconquest.com Thu Jul 10 15:41:10 2008 From: remco at webconquest.com (Remco Rijnders) Date: Thu, 10 Jul 2008 21:41:10 +0200 Subject: DNS poisoning test page (not Kaminsky's) In-Reply-To: <48765616.3030507@gmail.com> References: <48765616.3030507@gmail.com> Message-ID: <73D57C44-4127-4997-9F72-534820E74979@webconquest.com> Op 10 jul 2008, om 20:33 heeft 7v5w7go9ub0o het volgende geschreven: > While trying to understand the Kaminsky discovery, I came across > this page and seem to fail the test. > > http://ketil.froyn.name/poison.html > > What am I doing wrong, please (using maradns) What do you mean with "fail the test"? Did you get to the poisoned page, or not? Also note the first line on that page which reads: UPDATE 2007-05-17: Due to migration of my site, the self poisoning test may not be working properly. I will update this page again when it is functional again. Kind regards, Remco From 7v5w7go9ub0o at gmail.com Thu Jul 10 14:18:43 2008 From: 7v5w7go9ub0o at gmail.com (7v5w7go9ub0o) Date: Thu, 10 Jul 2008 14:18:43 -0400 Subject: DNS poisoning test page Message-ID: http://ketil.froyn.name/poison.html I fail this test, and don't know why!? From strenholme.usenet at gmail.com Thu Jul 10 18:06:34 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 10 Jul 2008 17:06:34 -0500 Subject: DNS poisoning test page In-Reply-To: References: Message-ID: <7bd685720807101506w5346e30l7e79460efa9e7f10@mail.gmail.com> I pass the test using Deadwood 2.00 as the recursive resolver. Check your DNS configuration because you're probably not using MaraDNS. - Sam 2008/7/10 7v5w7go9ub0o <7v5w7go9ub0o at gmail.com>: > http://ketil.froyn.name/poison.html > > I fail this test, and don't know why!? > > From strenholme.usenet at gmail.com Thu Jul 10 18:08:05 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 10 Jul 2008 17:08:05 -0500 Subject: DNS poisoning test page In-Reply-To: <7bd685720807101506w5346e30l7e79460efa9e7f10@mail.gmail.com> References: <7bd685720807101506w5346e30l7e79460efa9e7f10@mail.gmail.com> Message-ID: <7bd685720807101508n6dc3c6a9g61f1b1a35d6422b2@mail.gmail.com> And, oh, just so I don't get a bunch of "I failed the test, could you please configure my computer for me for free" emails, if you send me a MaraDNS-related support question, I reserve the right to post your support email to the Mara-DNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential. - Sam 2008/7/10 Sam Trenholme : > I pass the test using Deadwood 2.00 as the recursive resolver. Check > your DNS configuration because you're probably not using MaraDNS. > > - Sam > > 2008/7/10 7v5w7go9ub0o <7v5w7go9ub0o at gmail.com>: >> http://ketil.froyn.name/poison.html >> >> I fail this test, and don't know why!? >> >> > From 7v5w7go9ub0o at gmail.com Thu Jul 10 18:34:18 2008 From: 7v5w7go9ub0o at gmail.com (7v5w7go9ub0o) Date: Thu, 10 Jul 2008 18:34:18 -0400 Subject: DNS poisoning test page In-Reply-To: <7bd685720807101508n6dc3c6a9g61f1b1a35d6422b2@mail.gmail.com> References: <7bd685720807101506w5346e30l7e79460efa9e7f10@mail.gmail.com> <7bd685720807101508n6dc3c6a9g61f1b1a35d6422b2@mail.gmail.com> Message-ID: Sam Trenholme wrote: > And, oh, just so I don't get a bunch of "I failed the test, could you > please configure my computer for me for free" emails, if you send me a > MaraDNS-related support question, I reserve the right to post your > support email to the Mara-DNS mailing list so that the community at > large can examine your issue. MaraDNS security vulnerability reports, > however, will be kept confidential. > > - Sam Please let me apologize. I've repeated the test a number of times (including emptying all caches), and now pass it every time. Thank you and Remco Rijnders for replying - again, I apologize! From strenholme.usenet at gmail.com Thu Jul 10 18:54:20 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 10 Jul 2008 17:54:20 -0500 Subject: DNS poisoning test page In-Reply-To: References: <7bd685720807101506w5346e30l7e79460efa9e7f10@mail.gmail.com> <7bd685720807101508n6dc3c6a9g61f1b1a35d6422b2@mail.gmail.com> Message-ID: <7bd685720807101554y13ca6056m7863e663252e1236@mail.gmail.com> Excellent, and I apologize for my groucheyness. I will run the test on MaraDNS this afternoon and only report something if Mara fails. - Sam 2008/7/10 7v5w7go9ub0o <7v5w7go9ub0o at gmail.com>: > Sam Trenholme wrote: >> >> And, oh, just so I don't get a bunch of "I failed the test, could you >> please configure my computer for me for free" emails, if you send me a >> MaraDNS-related support question, I reserve the right to post your >> support email to the Mara-DNS mailing list so that the community at >> large can examine your issue. MaraDNS security vulnerability reports, >> however, will be kept confidential. >> >> - Sam > > Please let me apologize. > > > I've repeated the test a number of times (including emptying all caches), > and now pass it every time. > > Thank you and Remco Rijnders for replying - again, I apologize! > > > > From athla.anime at gmail.com Mon Jul 21 09:18:56 2008 From: athla.anime at gmail.com (my name) Date: Mon, 21 Jul 2008 20:18:56 +0700 Subject: min_ttl does not have effect Message-ID: Hello, i use maradns ver 1.3.07.08 as a recursive dns It works fine but, it seems it doesn't honour the min_ttl. I specified min_ttl = 72000 on mararc. But, when for instance i go to somewhere.com, then close and clear the browser cache, open the browser again, and then go to somewhere.com again, the browser takes some time doing the lookup again. Here's is my /etc/mararc : ipv4_bind_addresses = "192.168.1.1" chroot_dir = "/etc/maradns" recursive_acl = "192.168.1.0/24" timeout_seconds = 7 maximum_cache_elements = 4096 min_ttl = 72000 upstream_servers = {} upstream_servers["."] = "208.67.222.222, 208.67.220.220" my /etc/resolv.conf already pointed to 192.168.1.1. Any idea ? Thank You :) From lars at hfk-bremen.de Wed Jul 23 06:36:43 2008 From: lars at hfk-bremen.de (lars behrens) Date: Wed, 23 Jul 2008 12:36:43 +0200 Subject: MaraDNS with two adresses Message-ID: Hi, there, we have a network with our own nameserver(s); to serves the different ranges with different host-IPs, we have two nameservers running: MaraDNDS for the external requests and Bind on another machine for the internal requests. that is, because the servers have internal ip-addresses but these are masked (natted) to the outside via our firewall. requests from outsise (public network) for server.foo.bar are handled by MaraDNS, she points to the external IP 1.2.3.4, requests for server.foo.bar from the inside (our LAN) are handled by Bind and are directed to 192.168.0.x is ist possible to serve the two ranges/ kinds of requests with maradns on only one server? e.g. when a request comes from the internal to server.foo.bar it gets the answer "192.160.0.x", but requests from the outer network gets the answer "1.2.3.4"? thanx a lot in advance! greetings lars From KenL at GraphixWizard.com Wed Jul 23 08:54:21 2008 From: KenL at GraphixWizard.com (Ken Lyons - Graphix Wizard/Data-Forms) Date: Wed, 23 Jul 2008 08:54:21 -0400 Subject: MaraDNS with two adresses In-Reply-To: <2008-205-06-3-1216809425-029612@gwizfl.org> References: <2008-205-06-3-1216809425-029612@gwizfl.org> Message-ID: <2008-205-08-5-1216817641-028701@gwizfl.org> I don't believe Mara or many other DNS Servers can handle what your asking. In short each domain would have to have TWO records..so it would know what to answer with. The best and easiest solution is to run two DNS servers, which can both be on the same machine. Assign them different ports... i.e. Public 153 and Private 253 then on your GATEWAY/Firewall do your DNAT to redirect port 53 to the desired server. Ken Lyons / e/Solutions / IT Services *GraphixWizard/Data-Forms* */Toll Free/* 800.447.3676 */Direct/* 407.656.9742 */Fax/* 407.656.3353 kenl at graphixwizard.com hosting.graphixwizard.com lars behrens wrote: > Hi, there, > > > > we have a network with our own nameserver(s); to serves the different > ranges with different host-IPs, we have two nameservers running: > MaraDNDS for the external requests and Bind on another machine for > the internal requests. > > that is, because the servers have internal ip-addresses but these are > masked (natted) to the outside via our firewall. requests from outsise > (public network) for server.foo.bar are handled by MaraDNS, she points > to the external IP 1.2.3.4, requests for server.foo.bar from the > inside (our LAN) are handled by Bind and are directed to 192.168.0.x > > > is ist possible to serve the two ranges/ kinds of requests with > maradns on only one server? > > e.g. when a request comes from the internal to server.foo.bar it gets > the answer "192.160.0.x", but requests from the outer network gets the > answer "1.2.3.4"? > > > > thanx a lot in advance! > > > greetings > > > lars > > > > From darren.gamble at sjrb.ca Wed Jul 23 10:55:57 2008 From: darren.gamble at sjrb.ca (Darren Gamble) Date: Wed, 23 Jul 2008 08:55:57 -0600 Subject: MaraDNS with two adresses In-Reply-To: References: Message-ID: <00F10C2766A9664D8E1BE7D147015B020113B953@PRDCG4EXVW01-3.OSS.PRD> Hi Lars, > is ist possible to serve the two ranges/ kinds of requests with > maradns on only one server? > > e.g. when a request comes from the internal to server.foo.bar it gets > the answer "192.160.0.x", but requests from the outer network gets > the answer "1.2.3.4"? I don't think MaraDNS can do this, but if you want to make your BIND server authoritative for this zone, it can accomplish this via a DNS "View". The View allows for two separate copies of the zone; which one gets used can depend on the source address (among other things). The configuration you're looking for is very common. Hope this helps, ============================ Darren Gamble Systems Architect, Regional Services Shaw Cablesystems GP 630 - 3rd Avenue SW Calgary, Alberta, Canada T2P 4L4 (403) 781-4948 From gahoff at gmail.com Sun Jul 27 21:21:57 2008 From: gahoff at gmail.com (Geoff Hoff) Date: Sun, 27 Jul 2008 21:21:57 -0400 Subject: TXT query plus CNAME equals A query Message-ID: <17db0c920807271821v24f9cccfoe146f1fe9a9eb27d@mail.gmail.com> When using the instructions here https://www.dns-oarc.net/oarc/services/porttest to see how maradns rates for query port randomization, I found an unexpected result. The instructions are to run the query "dig +short porttest.dns-oarc.net TXT". That entry is a CNAME for z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. Doing a packet capture, maradns does a TXT query for the first entry, but after following the CNAME, it does an A query. Both PowerDNS recursor and unbound continue with TXT queries after the CNAME. From the weblog, I saw this post http://maradns.blogspot.com/2008/06/deadwood-200-released.html that indicates that the CNAME handling is known to non-optimal. This isn't a significant problem, but thought I'd share in case anyone else reading the list encounters the same thing. From gahoff at gmail.com Mon Jul 28 08:03:10 2008 From: gahoff at gmail.com (Geoff Hoff) Date: Mon, 28 Jul 2008 08:03:10 -0400 Subject: TXT query plus CNAME equals A query In-Reply-To: <17db0c920807271821v24f9cccfoe146f1fe9a9eb27d@mail.gmail.com> References: <17db0c920807271821v24f9cccfoe146f1fe9a9eb27d@mail.gmail.com> Message-ID: <17db0c920807280503i53091291w62c4cc371ef8a9d3@mail.gmail.com> I should have mentioned, this is for version 1.3.07.08. On Sun, Jul 27, 2008 at 9:21 PM, Geoff Hoff wrote: > When using the instructions here > https://www.dns-oarc.net/oarc/services/porttest to see how maradns > rates for query port randomization, I found an unexpected result. The > instructions are to run the query "dig +short porttest.dns-oarc.net > TXT". That entry is a CNAME for > z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. > Doing a packet capture, maradns does a TXT query for the first entry, > but after following the CNAME, it does an A query. Both PowerDNS > recursor and unbound continue with TXT queries after the CNAME. From > the weblog, I saw this post > http://maradns.blogspot.com/2008/06/deadwood-200-released.html that > indicates that the CNAME handling is known to non-optimal. > > This isn't a significant problem, but thought I'd share in case anyone > else reading the list encounters the same thing. > From ruskie at codemages.net Wed Jul 30 15:33:39 2008 From: ruskie at codemages.net (=?UTF-8?B?IkFuZHJhxb4gJ3J1c2tpZScgTGV2c3RpayI=?=) Date: Wed, 30 Jul 2008 21:33:39 +0200 Subject: Issues with recursion Message-ID: I'm trying to have recursive root servers for: icann+opennic+anonet Basicaly I can resolve icann addys but not opennic or anonet... Can anyone provide any ideas or a solution? maradns-1.2.12.09 on OpenBSD 4.3 Relevant section of the config: ipv4_alias = {} #using isp dns's ipv4_alias["icann"] = "193.2.1.66, 193.2.1.72, 84.20.224.10, 84.20.224.11" ipv4_alias["opennic"] = "88.191.13.93, 58.6.115.42, 58.6.115.43, 71.170.11.156, 216.87.84.209, 65.36.176.140, 216.67.98.38" ipv4_alias["anonet"] = "1.0.9.2, 1.0.1.4, 1.0.1.5, 1.10.11.1, 1.0.9.53"root_servers = {} root_servers["ano."] = "anonet" root_servers["ntwrk."] = "anonet" root_servers["me."] = "anonet" root_servers["site."] = "anonet" root_servers["xxx."] = "anonet" root_servers["free."] = "opennic" root_servers["fur."] = "opennic" root_servers["geek."] = "opennic" root_servers["indy."] = "opennic" root_servers["null."] = "opennic" root_servers["glue."] = "opennic" root_servers["oss."] = "opennic" root_servers["parody."] = "opennic" root_servers["."] = "icann" -- Andra? "ruskie" Levstik Source Mage GNU/Linux Games grimoire guru Geek/Hacker/Tinker Be sure brain is in gear before engaging mouth. Quis custodiet ipsos custodies. Ryle hira. Key id = F4C1F89C Key fingerprint = 6FF2 8F20 4C9D DB36 B5B6 F134 884D 72CC F4C1 F89C From strenholme.usenet at gmail.com Thu Jul 31 10:21:37 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 31 Jul 2008 09:21:37 -0500 Subject: Issues with recursion In-Reply-To: References: Message-ID: <7bd685720807310721u7bb949a1t8f10eafc8486d2dd@mail.gmail.com> root_servers["subtree."] = "whatever" only works in MaraDNS 1.3; it doesn't work in MaraDNS 1.2. - Sam Note: If you send me a MaraDNS-related support question, I reserve the right to post your support email to the Mara-DNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports (No, MaraDNS is not vulnerable to the "new" cache poisoning attack and was never vulnerable), however, will be kept confidential. 2008/7/30 "Andra? 'ruskie' Levstik" : > I'm trying to have recursive root servers for: > icann+opennic+anonet > > Basicaly I can resolve icann addys but not opennic or anonet... > > Can anyone provide any ideas or a solution? > > maradns-1.2.12.09 on OpenBSD 4.3 > > Relevant section of the config: > > ipv4_alias = {} > #using isp dns's > ipv4_alias["icann"] = "193.2.1.66, 193.2.1.72, 84.20.224.10, 84.20.224.11" > ipv4_alias["opennic"] = "88.191.13.93, 58.6.115.42, 58.6.115.43, > 71.170.11.156, 216.87.84.209, 65.36.176.140, 216.67.98.38" > ipv4_alias["anonet"] = "1.0.9.2, 1.0.1.4, 1.0.1.5, 1.10.11.1, > 1.0.9.53"root_servers = {} > root_servers["ano."] = "anonet" > root_servers["ntwrk."] = "anonet" > root_servers["me."] = "anonet" > root_servers["site."] = "anonet" > root_servers["xxx."] = "anonet" > root_servers["free."] = "opennic" > root_servers["fur."] = "opennic" > root_servers["geek."] = "opennic" > root_servers["indy."] = "opennic" > root_servers["null."] = "opennic" > root_servers["glue."] = "opennic" > root_servers["oss."] = "opennic" > root_servers["parody."] = "opennic" > root_servers["."] = "icann" > > > -- > Andra? "ruskie" Levstik > Source Mage GNU/Linux Games grimoire guru > Geek/Hacker/Tinker > > Be sure brain is in gear before engaging mouth. > Quis custodiet ipsos custodies. > Ryle hira. > > Key id = F4C1F89C > Key fingerprint = 6FF2 8F20 4C9D DB36 B5B6 F134 884D 72CC F4C1 F89C > >