From spamcatch-maradns.org at messageme.de Mon Aug 2 02:03:17 2010 From: spamcatch-maradns.org at messageme.de (=?UTF-8?B?U2ViYXN0aWFuIE3DvGxsZXI=?=) Date: Mon, 02 Aug 2010 08:03:17 +0200 Subject: Curious things with MaraDNS Message-ID: <4C565FA5.5080500@messageme.de> Hi, since a few month I noticed DNS lookups for 'sv5.isp4p.net' results in SERVFAIL. Yesterday I asked my provider why the domain doesn't exist anymore and they answered me: It does exist. So I searched google for some online lookup tool. And those were able to resolve the domain. Can you explain me where the failure is located and why MaraDNS isn't able to resolve it? I am running MaraDNS version 1.3.07.09 on debian lenny. Cheers, Sebastian -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: maralog URL: From strenholme.usenet at gmail.com Mon Aug 2 02:15:36 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Sun, 1 Aug 2010 23:15:36 -0700 Subject: Curious things with MaraDNS In-Reply-To: <4C565FA5.5080500@messageme.de> References: <4C565FA5.5080500@messageme.de> Message-ID: > since a few month I noticed DNS lookups for 'sv5.isp4p.net' results in > SERVFAIL. It gets a timeout in Deadwood 2.9.02. This is because it?s one of the very rare cases of having a packet that doesn?t fit in 512 bytes: $ askmara Asv5.isp4p.net. 85.93.19.20 # Querying the server with the IP 85.93.19.20 # Remote server said: TRUNCATED # Question: Asv5.isp4p.net. sv5.isp4p.net. +3600 a 89.144.46.3 sv5.isp4p.net. +3600 a 89.144.16.3 sv5.isp4p.net. +3600 a 89.144.27.12 sv5.isp4p.net. +3600 a 85.93.17.13 sv5.isp4p.net. +3600 a 89.144.51.3 sv5.isp4p.net. +3600 a 85.93.4.54 sv5.isp4p.net. +3600 a 89.144.41.3 sv5.isp4p.net. +3600 a 89.144.30.12 sv5.isp4p.net. +3600 a 85.93.23.13 sv5.isp4p.net. +3600 a 89.144.37.12 sv5.isp4p.net. +3600 a 89.144.4.41 sv5.isp4p.net. +3600 a 89.144.38.12 sv5.isp4p.net. +3600 a 89.144.9.21 sv5.isp4p.net. +3600 a 85.93.13.14 sv5.isp4p.net. +3600 a 85.93.12.3 sv5.isp4p.net. +3600 a 85.93.25.13 sv5.isp4p.net. +3600 a 85.93.22.28 sv5.isp4p.net. +3600 a 85.93.13.13 sv5.isp4p.net. +3600 a 85.93.24.27 sv5.isp4p.net. +3600 a 85.93.23.27 sv5.isp4p.net. +3600 a 85.93.13.15 sv5.isp4p.net. +3600 a 85.93.17.15 sv5.isp4p.net. +3600 a 89.144.33.12 sv5.isp4p.net. +3600 a 85.93.27.3 sv5.isp4p.net. +3600 a 89.144.32.12 sv5.isp4p.net. +3600 a 85.93.25.14 sv5.isp4p.net. +3600 a 89.144.40.3 sv5.isp4p.net. +3600 a 89.144.45.3 sv5.isp4p.net. +3600 a 89.144.36.12 sv5.isp4p.net. +3600 a 85.93.25.27 # Hard Error: Error reading rr in AN section I hope to have time in the next couple of days to update Deadwood to handle truncated packets. Right now, Deadwood *should* mark the packet as being truncated, and allow DNS-over-TCP (without caching the reply). This works with upstream_servers but, it would seem, not with root_servers (if it broke with upstream_servers, I would have noticed during the SQA regressions) - Sam Note: I do not answer MaraDNS (including Deadwood) support requests sent by private email without being compensated for my time. A MaraDNS support request is any and all discussion you may wish to have about MaraDNS in private email; if you want to email me to talk about MaraDNS then, yes, that is a support request. I will discuss rates if you want this kind of support. Thank you for your understanding. MaraDNS security vulnerability reports, however, will be dealt with without charge and kept confidential. If you don't know what Bugtraq is, then, no, your email is not a security report. It is not a security report unless you've done due diligence to determine how the security bug you think you found can reasonably be exploited. From spamcatch-maradns.org at messageme.de Mon Aug 2 03:26:27 2010 From: spamcatch-maradns.org at messageme.de (=?UTF-8?B?U2ViYXN0aWFuIE3DvGxsZXI=?=) Date: Mon, 02 Aug 2010 09:26:27 +0200 Subject: Deadwood beta on debian lenny In-Reply-To: References: <4C498BE0.7010403@messageme.de> <4C4A327C.3080402@messageme.de> <4C4B56F0.2010800@messageme.de> <4C4C7756.80403@messageme.de> <4C4CAD91.8020204@messageme.de> <4C4D7879.5030907@messageme.de> Message-ID: <4C567323.7030305@messageme.de> Good Morning, Here is another one giving some trouble. Tested with deadwood-2.9.02 Quote from deadwood doc http://www.maradns.org/deadwood/doc/Deadwood.txt "The netmask is optional, and, if not present, indicates that only a single IP will match." recursive_acl = "127.0.0.0/8,85.93.18.62" results in: localhost:/etc# askmara Agoogle.hu. # Querying the server with the IP 127.0.0.1 # Hard Error: Timeout recursive_acl = "127.0.0.0/8,85.93.18.62/32" results in: localhost:/etc# askmara Agoogle.hu. # Querying the server with the IP 127.0.0.1 # Question: Agoogle.hu. google.hu. +300 a 74.125.43.99 google.hu. +300 a 74.125.43.106 google.hu. +300 a 74.125.43.105 google.hu. +300 a 74.125.43.147 google.hu. +300 a 74.125.43.103 google.hu. +300 a 74.125.43.104 # NS replies: # AR replies: Am 26.07.2010 19:40, schrieb Sam Trenholme: > ... From strenholme.usenet at gmail.com Mon Aug 2 13:50:38 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 2 Aug 2010 10:50:38 -0700 Subject: Curious things with MaraDNS In-Reply-To: References: <4C565FA5.5080500@messageme.de> Message-ID: > $ askmara Asv5.isp4p.net. 85.93.19.20 > # Querying the server with the IP 85.93.19.20 > # Remote server said: TRUNCATED > # Question: Asv5.isp4p.net. OK, I have just uploaded a Deadwood snapshot that will work with packets that need DNS-over-TCP to resolve. It can be downloaded here: http://maradns.org/deadwood/snap/deadwood-H-20100802-1.tar.bz2 Some things to keep in mind: * By default, Deadwood disables DNS-over-TCP. Users who need to handle the very rare hostname that needs DNS-over-TCP to resolve will need to explicitly enable it by adding the following to their dwood3rc file: tcp_listen=1 * Deadwood does not cache packets that need DNS-over-TCP to resolve. Deadwood only supports DNS-over-TCP for packets stub resolvers can handle (NS referrals or incomplete CNAME answer packets will not do the right thing if they need DNS-over-TCP) * This is only getting fixed for Deadwood, not MaraDNS 1.x Sebastian: Thank you for the bug report. Let me know of any other hostnames that Deadwood can not reply, or of any other Deadwood bugs. - Sam Note: I do not answer MaraDNS (including Deadwood) support requests sent by private email without being compensated for my time. A MaraDNS support request is any and all discussion you may wish to have about MaraDNS in private email; if you want to email me to talk about MaraDNS then, yes, that is a support request. I will discuss rates if you want this kind of support. Thank you for your understanding. MaraDNS security vulnerability reports, however, will be dealt with without charge and kept confidential. If you don't know what Bugtraq is, then, no, your email is not a security report. It is not a security report unless you've done due diligence to determine how the security bug you think you found can reasonably be exploited. From strenholme.usenet at gmail.com Mon Aug 2 14:17:14 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 2 Aug 2010 11:17:14 -0700 Subject: Deadwood beta on debian lenny In-Reply-To: <4C567323.7030305@messageme.de> References: <4C498BE0.7010403@messageme.de> <4C4A327C.3080402@messageme.de> <4C4B56F0.2010800@messageme.de> <4C4C7756.80403@messageme.de> <4C4CAD91.8020204@messageme.de> <4C4D7879.5030907@messageme.de> <4C567323.7030305@messageme.de> Message-ID: > Quote from deadwood doc > http://www.maradns.org/deadwood/doc/Deadwood.txt > "The netmask is optional, and, if not present, indicates that > ? only a single IP will match." > > recursive_acl = "127.0.0.0/8,85.93.18.62" > results in: > localhost:/etc# askmara Agoogle.hu. > # Querying the server with the IP 127.0.0.1 > # Hard Error: Timeout OK, for the record: I wasn't the one to break that. I can blame someone who will remain nameless, since that certain someone has made valuable contributions to Deadwood without getting paid. :) However, I am the one to fix it (if people ever wonder why their patch doesn't get accepted in to some random open-source project, it's often times because the maintainer of said project does not want to deal with any bugs the patch may cause). Attached is a patch which fixes this issue. In addition, I have uploaded the uploaded Deadwood: http://maradns.org/deadwood/snap/deadwood-H-20100802-2.tar.bz2 - Sam Note: I do not answer MaraDNS (including Deadwood) support requests sent by private email without being compensated for my time. A MaraDNS support request is any and all discussion you may wish to have about MaraDNS in private email; if you want to email me to talk about MaraDNS then, yes, that is a support request. I will discuss rates if you want this kind of support. Thank you for your understanding. MaraDNS security vulnerability reports, however, will be dealt with without charge and kept confidential. If you don't know what Bugtraq is, then, no, your email is not a security report. It is not a security report unless you've done due diligence to determine how the security bug you think you found can reasonably be exploited. --- deadwood-2.9.02/src/DwSocket.c 2010-07-29 10:39:10.000000000 -0700 +++ deadwood-2.9.03/src/DwSocket.c 2010-08-02 11:06:26.000000000 -0700 @@ -293,6 +293,8 @@ q = strchr(c,'/'); if(q == 0 || *q != '/') { + pop_ip_core(list,(ip_addr_T *)ip_mask,c); + make_netmask(ip_mask->len * 8,ip_mask->mask,ip_mask->len); goto catch_pop_ip_mask; } *q = 0; /* pop_ip_core can't take an IP ending with a slash */ From eminakbulut at gmail.com Tue Aug 3 06:50:33 2010 From: eminakbulut at gmail.com (Emin Akbulut) Date: Tue, 3 Aug 2010 13:50:33 +0300 Subject: MaraDNS 1.4.04 released In-Reply-To: References: Message-ID: Oops. Avira reports BDS/Backdoor.Gen in link http://maradns.org/download/1.4/1.4.04/maradns-1-4-04-win32.zip Should I ignore it? On Sat, Jul 31, 2010 at 11:23 AM, Sam Trenholme wrote: > Now that Deadwood is feature-complete, I have released MaraDNS 1.4.04. > This is the most current stable release of MaraDNS; if using an older > MaraDNS, please update to this release (yes, I ran a bunch of SQA > tests so anything that worked before should work in 1.4.04). > > While the old recursive code is still in place to allow people to > slowly make the transition to using Deadwood as their recursive DNS > server, Deadwood 2.9.02 is included. The Windows version of MaraDNS > has had its documentation updated to encourage people to use Deadwood > instead of MaraDNS; I will also start nudging *NIX users along. > > I have also made a tool for getting entropy from the OS and putting it > in a file. This is currently a very simple tool; it makes a random > 64-byte file called secret.txt which MaraDNS and Deadwood can use. It > acts like a UNIX command: There is no user interface; when it is run, > it just silently creates the 64-byte random secret.txt file, > overwriting any already existing secret.txt, and only outputting > something if something goes wrong. > > It?s a lot better than the old ?just type in some random text to make > secret.txt? directions I have given. I plan on making it a little more > friendly (failing if secret.txt already exists, and stating the > secret.txt file has been created, and always pausing and having the > user hit a key so they know what the program is doing if called from > the GUI.) > > In addition, I fixed the bug with delegation NS records and ANY > queries, as well as incorporating a NAPTR bugfix I made a few months > ago in to the code. There is a full changelog at maradns.org. > > It can be looked at here: > > http://maradns.org/download.html > > Or here: > > http://sourceforge.net/projects/maradns > From strenholme.usenet at gmail.com Tue Aug 3 12:31:17 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Tue, 3 Aug 2010 09:31:17 -0700 Subject: MaraDNS 1.4.04 released In-Reply-To: References: Message-ID: > Oops. Avira reports BDS/Backdoor.Gen in link > > http://maradns.org/download/1.4/1.4.04/maradns-1-4-04-win32.zip > > Should I ignore it? It?s a false positive. http://maradns.org/faq.html#virus My personal theory is that some cheezy anti-viruses get upset by Deadwood.exe because it is a GCC-compiled Windows service, since some trojans are, in fact, GCC-compiled Windows services. AVG, on the other hand, is smart enough to distinguish Deadwood from a real trojan. AVG is free if being used on a home computer, unless the computer is used for commercial purposes; e.g. I need to register AVG since, yes, while MaraDNS is free, I do actively seek sponsors and charge for all private email support. But most people here probably don?t earn money from work they do on their computer, and therefore can use AVG free without charge. It?s at http://free.avg.com/ Speaking of cool programs which are now considered trojans by anti-virus software, Pac32k at http://www.crew99.com/downloads.html (for people who don?t read German: It?s a tiny [only 32 kilobytes] PacMan-style game) around late February or March started getting marked as being a trojan; my theory here is that since the game is a demo, the self-unpacking code in its header confuses anti-viruses since the same self-unpacker is used by a real trojan. (I should probably update the FAQ entry with more detailed information on how to download and use AVG Free) - Sam Note: I do not answer MaraDNS (including Deadwood) support requests sent by private email without being compensated for my time. A MaraDNS support request is any and all discussion you may wish to have about MaraDNS in private email; if you want to email me to talk about MaraDNS then, yes, that is a support request. I will discuss rates if you want this kind of support. Thank you for your understanding. MaraDNS security vulnerability reports, however, will be dealt with without charge and kept confidential. If you don't know what Bugtraq is, then, no, your email is not a security report. It is not a security report unless you've done due diligence to determine how the security bug you think you found can reasonably be exploited. From spamcatch-maradns.org at messageme.de Tue Aug 3 14:51:26 2010 From: spamcatch-maradns.org at messageme.de (=?UTF-8?B?U2ViYXN0aWFuIE3DvGxsZXI=?=) Date: Tue, 03 Aug 2010 20:51:26 +0200 Subject: MaraDNS 1.4.04 released In-Reply-To: References: Message-ID: <4C58652E.9040304@messageme.de> Am 03.08.2010 18:31, schrieb Sam Trenholme: >> Oops. Avira reports BDS/Backdoor.Gen in link >> >> http://maradns.org/download/1.4/1.4.04/maradns-1-4-04-win32.zip >> >> Should I ignore it? > > It?s a false positive. > > http://maradns.org/faq.html#virus > > My personal theory is that some cheezy anti-viruses get upset by > Deadwood.exe because it is a GCC-compiled Windows service, since some > trojans are, in fact, GCC-compiled Windows services. Hi Sam, I am using Avira, too. Avira is known to have many false positives. Nevertheless I contacted Avira about that false positive. Let's see when and how they answer. Cheers, Sebastian From eminakbulut at gmail.com Tue Aug 3 17:40:30 2010 From: eminakbulut at gmail.com (Emin Akbulut) Date: Wed, 4 Aug 2010 00:40:30 +0300 Subject: MaraDNS 1.4.04 released In-Reply-To: <4C58652E.9040304@messageme.de> References: <4C58652E.9040304@messageme.de> Message-ID: Hi Sam, I've a question, half private, half public. If you were Bill Gates, what would be the price of MaraDNS? Forget for a moment it's free, how many bucks should I pay? On Tue, Aug 3, 2010 at 9:51 PM, Sebastian M?ller wrote: > Am 03.08.2010 18:31, schrieb Sam Trenholme: > >> Oops. Avira reports BDS/Backdoor.Gen in link > >> > >> http://maradns.org/download/1.4/1.4.04/maradns-1-4-04-win32.zip > >> > >> Should I ignore it? > > > > It?s a false positive. > > > > http://maradns.org/faq.html#virus > > > > My personal theory is that some cheezy anti-viruses get upset by > > Deadwood.exe because it is a GCC-compiled Windows service, since some > > trojans are, in fact, GCC-compiled Windows services. > > Hi Sam, > > I am using Avira, too. Avira is known to have many false positives. > > Nevertheless I contacted Avira about that false positive. > Let's see when and how they answer. > > Cheers, > Sebastian > From strenholme.usenet at gmail.com Tue Aug 3 18:16:27 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Tue, 3 Aug 2010 15:16:27 -0700 Subject: MaraDNS 1.4.04 released In-Reply-To: <4C58652E.9040304@messageme.de> References: <4C58652E.9040304@messageme.de> Message-ID: >>> Oops. Avira reports BDS/Backdoor.Gen in link >> It?s a false positive. > Avira is known to have many false positives. A summary of this false positive is here: http://www.avira.com/en/threats/section/details/id_vir/4075/bds_backdoor.gen.html It?s called a ?Backdoor server? and the test is described as ?A generic detection routine?. It probably flags anything with bind() or CreateService() in it. As an aside, resolving avira.com is a good torture test for Deadwood: * There are for upstream name servers for avira.com * Two of the upstram name servers are glueless * One of the two glueless names points to a NXDOMAIN, not an IP * Only one of the four upstream servers (the other glueless one) actually replies to DNS queries. - Sam From strenholme.usenet at gmail.com Tue Aug 3 18:44:33 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Tue, 3 Aug 2010 15:44:33 -0700 Subject: MaraDNS 1.4.04 released In-Reply-To: References: <4C58652E.9040304@messageme.de> Message-ID: > Hi Sam, I've a question, half private, half public. > If you were Bill Gates, what would be the price > of MaraDNS? Forget for a moment it's free, > how many bucks should I pay? If I were Bill Gates....hmmm. OK $50 for the MaraDNS + Deadwood, which includes unlimited zones and one email support incident. Beta testers, of course, get a free copy of Deadwood (but only support on online forums and no, there are no developers on said forums), but the copy expires in six months. I?m not Bill Gates, however. So, yes, the full copy of Deadwood + MaraDNS is free to download, use, modify (Source code licenses for commercial programs easily cost thousands of dollars), and you even get free support from the author if you can figure out how to subscribe to a mailing list and post here [1]. It?s a commercial product because I charge people to implement features?me implementing something that doesn?t satisfy my itch doesn?t benefits the users of said feature more than me. I also charge people if they want something besides a form email about how I can use a job or money when they ask a question via private email. That?s because answering questions via private email only benefits the person I?m answering the question for, and no one else, so if someone wants to benefit only themselves without helping the community, I will ask to get some benefit from it too. I feel the same way about NXDOMAIN redirects (web pages some DNS servers send you to if someone mistypes a hostname accidentally and no typo-squatter has grabbed the mistype in question): They only benefit the person who charges for ad space on the NXDOMAIN redirect webpage and the advertisers on said webpage. If someone wants me to implement a feature that only benefits parties involved with said ad page, I better get some of that benefit myself. Back on topic, I just released a new Deadwood snapshot today. This has a tweak which has been bouncing around my head for a few days that minimizes SERVER FAIL replies sent by Deadwood in the process of resolving a difficult name like Avira.com (see, I was able to get the original topic in there). It can be looked at here: http://maradns.org/deadwood/snap/deadwood-H-20100803-1.tar.bz2 - Sam [1] I spell out the entire process at http://www.maradns.org/faq.html#subscribe From jefsey at jefsey.com Tue Aug 3 20:19:19 2010 From: jefsey at jefsey.com (jefsey) Date: Wed, 04 Aug 2010 02:19:19 +0200 Subject: MaraDNS 1.4.04 released In-Reply-To: References: <4C58652E.9040304@messageme.de> Message-ID: <7.0.1.0.2.20100804011030.0af508b0@jefsey.com> Hi! Sam, Did you ever considered offering your existing proposition of shared/dedicated support on a yearly subscription/monthly retainer (+ fee for organizations)? DNS is strategic enough (and probably is going to be more) for businesses to expect a small organization to be dedicated to it? I understand this is the economy of other DNS products? jfc At 00:44 04/08/2010, Sam Trenholme wrote: > > Hi Sam, I've a question, half private, half public. > > If you were Bill Gates, what would be the price > > of MaraDNS? Forget for a moment it's free, > > how many bucks should I pay? > >If I were Bill Gates....hmmm. OK $50 for the MaraDNS + Deadwood, >which includes unlimited zones and one email support incident. Beta >testers, of course, get a free copy of Deadwood (but only support on >online forums and no, there are no developers on said forums), but the >copy expires in six months. > >I'm not Bill Gates, however. So, yes, the full copy of Deadwood + >MaraDNS is free to download, use, modify (Source code licenses for >commercial programs easily cost thousands of dollars), and you even >get free support from the author if you can figure out how to >subscribe to a mailing list and post here [1]. From strenholme.usenet at gmail.com Tue Aug 3 22:27:42 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Tue, 3 Aug 2010 19:27:42 -0700 Subject: MaraDNS 1.4.04 released In-Reply-To: <7.0.1.0.2.20100804011030.0af508b0@jefsey.com> References: <4C58652E.9040304@messageme.de> <7.0.1.0.2.20100804011030.0af508b0@jefsey.com> Message-ID: > Did you ever considered offering your existing proposition of > shared/dedicated support on a yearly subscription/monthly retainer (+ fee > for organizations)? > DNS is strategic enough (and probably is going to be more) for businesses to > expect a small organization to be dedicated to it? I think there are definite possibilities in having me perform that kind of consulting services for companies who want to look at their DNS solutions. One thing I have observed is how many hosting providers completely drop the ball with DNS hosting; DNS problems make it harder for their potential customers to reach their website, resulting in lost sales. For example, avira.com, which I mentioned earlier in the thread has three out of four DNS servers not working. From where I sit, this is perfect for me right now since these kind of acid tests help me debug Deadwood and make sure Deadwood is a reliable DNS resolver. On the other hand, it isn?t in Avira?s best interests for potential customers to see ?host not found? instead of the web page for their products. [1] One idea I had while writing Deadwood was for Deadwood to have a ?solve? switch to help debug bad hostnames. Like a lot of ideas I have had for Deadwood, it never got implemented in the interest of getting MaraDNS 2.0 and Deadwood 3.0 finished (but there are some functions in DwRecurse.c for looking at a DNS packet which I currently don?t use). Maybe, after 3.0 comes out, I will make a version of Deadwood with ?solve? to make it quick and easy to see if DNS servers for a given hostname are down. > I understand this is the economy of other DNS products? I?m still figuring out how to make lots of money with MaraDNS. If anyone has any suggestions, let me know. That said, having MaraDNS be open-source is much better than any resume can be to let the relevant people know I?m a clued programmer who is looking for work. In this economy, anything that gives me an edge over other job seekers is valuable. - Sam [1] As another example, kintera.org has two out of three DNS servers down, which causes lookups to frequently outright fail, especially with long CNAME chains like ?www.gbod.org?. I loved the hostname ?www.gbod.org? and all of the mismanagement Blackbaud Internet Solutions did with this domain [2] while debugging Deadwood; the process of resolving that hostname showed me all kinds of bugs in pre-beta releases of Deadwood. But, I don?t think people who actually want to visit gbod.org or the Methodist church who host this webpage would feel the same way about its DNS issues. [2] Kintera.org has three glueless NS entries for resolving their hostname: ns1.kintera.com (206.190.70.84), ns011.kintera.com (216.39.103.70) and ns012.kintera.com (216.39.103.71). Of these three DNS servers, ns011kintera.com does not reply to DNS queries (and previously, two out of the three hosts did not resolve). Also, the long CNAME chain www.gbod.org uses slows down and makes unreliable DNS resolution. Since kintera.com is a redirect to Blackbaud?s webpage, I think it?s safe to say they?re the responsible party for this DNS configuration. From spamcatch-maradns.org at messageme.de Wed Aug 4 06:01:28 2010 From: spamcatch-maradns.org at messageme.de (=?UTF-8?B?U2ViYXN0aWFuIE3DvGxsZXI=?=) Date: Wed, 04 Aug 2010 12:01:28 +0200 Subject: MaraDNS 1.4.04 released In-Reply-To: <4C58652E.9040304@messageme.de> References: <4C58652E.9040304@messageme.de> Message-ID: <4C593A78.7010106@messageme.de> Am 03.08.2010 20:51, schrieb Sebastian M?ller: > Am 03.08.2010 18:31, schrieb Sam Trenholme: >>> Oops. Avira reports BDS/Backdoor.Gen in link >>> >>> http://maradns.org/download/1.4/1.4.04/maradns-1-4-04-win32.zip >>> >>> Should I ignore it? >> >> It?s a false positive. >> >> http://maradns.org/faq.html#virus >> >> My personal theory is that some cheezy anti-viruses get upset by >> Deadwood.exe because it is a GCC-compiled Windows service, since some >> trojans are, in fact, GCC-compiled Windows services. > > Hi Sam, > > I am using Avira, too. Avira is known to have many false positives. > > Nevertheless I contacted Avira about that false positive. > Let's see when and how they answer. > Avira answered few minutes ago, Avira Lab Response - Tracking number 573252 -------- Original-Nachricht -------- Return-Path: X-Original-To: xxx Delivered-To: xxx Received: from vcc.avira.com (vcc.avira.com [62.146.210.56]) by mail.messageme.de (Postfix) with ESMTPS id D3C5B26A2DC for ; Wed, 4 Aug 2010 11:46:33 +0200 (CEST) Received: by vcc.avira.com (Postfix, from userid 81) id 6F22180A179; Wed, 4 Aug 2010 11:46:14 +0200 (CEST) To: xxx Subject: Avira Lab Response - Tracking number 573252 Date: Wed, 4 Aug 2010 11:46:14 +0200 From: Avira Virus Lab Response Team Message-ID: X-Priority: 3 X-Mailer: PHPMailer [version 1.73] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_c97da08c7bb555e43d84c01fa86ebfab" A listing of files alongside their results can be found below: File ID Filename Size (Byte) Result 25834008 Deadwood.exe 61.5 KB FALSE POSITIVE Please find a detailed report concerning each individual sample below: Filename Result Deadwood.exe FALSE POSITIVE The file 'Deadwood.exe' has been determined to be 'FALSE POSITIVE'. Dies bedeutet, dass diese Datei nicht gef?hrlich und eine Fehlmeldung unsererseits ist. Detection will be removed from our virus definition file (VDF) with one of the next updates. From strenholme.usenet at gmail.com Wed Aug 4 13:22:09 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Wed, 4 Aug 2010 10:22:09 -0700 Subject: MaraDNS 1.4.04 released In-Reply-To: <4C593A78.7010106@messageme.de> References: <4C58652E.9040304@messageme.de> <4C593A78.7010106@messageme.de> Message-ID: > Avira Lab Response - Tracking number 573252 > The file 'Deadwood.exe' has been determined to be 'FALSE POSITIVE'. Dies > bedeutet, dass diese Datei nicht gef?hrlich und eine Fehlmeldung > unsererseits ist. Detection will be removed from our virus definition > file (VDF) with one of the next updates. One thing to keep in mind is that while you find bugs, Sebastian, I?m going to update Deadwood to fix said bugs. So, Avira might whitelist Deadwood 2.9.02, but that doesn?t help us when I release Deadwood 2.9.03 in a few days. What I can do to keep Deadwood white-listed for a while is to only update the Windows port of Deadwood but not MaraDNS? Windows port (which comes with Deadwood 2.9.02 pre-compiled) until we decide Deadwood is pretty much bug-free and release Deadwood 3.0.01. Speaking of Deadwood, I have just made a snapshot of Deadwood with a patch to #ifdef out various routines that I use while debugging Deadwood, but that the end-user program doesn?t use. I?ve reduced the size of the Linux binary by nearly a kilobyte and the Windows binary by 512 bytes doing this. It can be looked at here: http://maradns.org/deadwood/snap/deadwood-H-20100804-1.tar.bz2 - Sam From spamcatch-maradns.org at messageme.de Wed Aug 4 14:46:11 2010 From: spamcatch-maradns.org at messageme.de (=?UTF-8?B?U2ViYXN0aWFuIE3DvGxsZXI=?=) Date: Wed, 04 Aug 2010 20:46:11 +0200 Subject: MaraDNS 1.4.04 released In-Reply-To: References: <4C58652E.9040304@messageme.de> <4C593A78.7010106@messageme.de> Message-ID: <4C59B573.6010406@messageme.de> Am 04.08.2010 19:22, schrieb Sam Trenholme: > What I can do to keep Deadwood white-listed for a while is to only > update the Windows port of Deadwood but not MaraDNS? Windows port > (which comes with Deadwood 2.9.02 pre-compiled) until we decide > Deadwood is pretty much bug-free and release Deadwood 3.0.01. > In first place, I want to know how fast is Avira taking action. Lets see how long they take to bring it in their virus definitions. > Speaking of Deadwood, I have just made a snapshot of Deadwood with a > patch to #ifdef out various routines that I use while debugging > Deadwood, but that the end-user program doesn?t use. I?ve reduced the > size of the Linux binary by nearly a kilobyte and the Windows binary > by 512 bytes doing this. > > It can be looked at here: > > http://maradns.org/deadwood/snap/deadwood-H-20100804-1.tar.bz2 > > - Sam I'll fetch it. Cheers, Sebastian From strenholme.usenet at gmail.com Fri Aug 6 14:12:51 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 6 Aug 2010 11:12:51 -0700 Subject: Deadwood 2.9.03 released Message-ID: I have just released Deadwood 2.9.03: * Updated dwood2rc_n_timeout_seconds SQA test to work around CentOS bug (reported: http://bugs.centos.org/view.php?id=4465 ) * Got packets too big to fit in dns-over-udp to work when running Deadwood as a recursive nameserver * Fix IPs in ACLs without netmasks * Increase timeout when a child query is spawned * Add new compile-time define: XTRA_STUFF for routines only used while debugging. * Deadwood can now handle a DNS reply with a DNAME in it * Retries and remote IPs we connect to are are now logged at verbose_level 128 or higher * Deadwood now sends NOTIMPL in reply to EDNS packets instead of dropping them I have also updated MicroDNS and NanoDNS to handle EDNS packets better (by sending NOTIMPL). Thinking about it some more, I think it makes more sense for Deadwood to just ignore the EDNS part of a DNS packet instead of sending NOTIMPL in reply to EDNS packets; this is how MaraDNS has been doing it for years, as well as DJB?s dnscache. It can be downloaded here: http://maradns.org/deadwood/testing/ Please keep the bug reports coming. I really appreciate all of the reports I have gotten. - Sam From strenholme.usenet at gmail.com Mon Aug 9 11:31:32 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 9 Aug 2010 08:31:32 -0700 Subject: =?windows-1252?Q?Monthly_posting=3A_I=92m_still_looking_for_work?= Message-ID: I still have not signed any contract nor finished any W-2 paperwork to make me a hired contractor or employee. So, yes, I am looking for work. I really would like a job that allows me to remotely telecommute from Mexico about a week every month (yes, there is high-speed internet down there) so I can spend time with my wife until she has permission to come to the United States?a process that might take a year or longer. My resume is available here: http://samiam.org/resume/ People here know exactly how well I can code; I wrote MaraDNS (as well as Deadwood, MaraDNS 2.0?s recursive resolver) after all. If anyone has any potential leads, please contact me via private email. This is a monthly posting; if I do not find a job in August, I will post an announcement in early September. - Sam From spamcatch-maradns.org at messageme.de Tue Aug 10 15:22:30 2010 From: spamcatch-maradns.org at messageme.de (=?UTF-8?B?U2ViYXN0aWFuIE3DvGxsZXI=?=) Date: Tue, 10 Aug 2010 21:22:30 +0200 Subject: Deadwood 2.9.03 released In-Reply-To: References: Message-ID: <4C61A6F6.9020109@messageme.de> Am 06.08.2010 20:12, schrieb Sam Trenholme: > I have just released Deadwood 2.9.03: Hi Sam, just built Deadwood for OpenWRT (Mipsel), I get some weird debug output, which I don't understand(verbose_level=128), Making connection to IP IP of length 127 Making connection to IP IP of length 0 What's the meaning behind? Cheers, Sebastian From strenholme.usenet at gmail.com Tue Aug 10 16:23:13 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Tue, 10 Aug 2010 13:23:13 -0700 Subject: Deadwood 2.9.03 released In-Reply-To: <4C61A6F6.9020109@messageme.de> References: <4C61A6F6.9020109@messageme.de> Message-ID: > Making connection to IP IP of length 127 > Making connection to IP IP of length 0 > > What's the meaning behind? ?IP of length 127?: This means that the NS record in question is a glueless NS record which requires a child resolution process to resolve. ?IP of length 0?: This means an error was encountered when trying to get an IP. The reason these aren?t documented is because level 128 debug messages expose a lot of the internals of Deadwood which are primary of interest to developers. The important thing to look for in logs is ?SERVER FAIL? messages, which indicates something went wrong when trying to resolve a given name. Some names are tough to resolve, such as ?www.gbod.org?, and might take a couple of those ?SERVER FAIL? messages to solve. What I am most interested in are host names that don?t resolve at all, and consistently give ?SERVER FAIL?. Also, Deadwood 2.9.03 is already out of date. I have already resolved an issue I saw yesterday with upper-case glueless referrals and tuned things to hopefully speed up Deadwood resolution a little: http://maradns.org/deadwood/snap/deadwood-H-20100810-1.tar.bz2 - Sam Note: I am actively looking for work and any job leads would be appreciated. I do not answer MaraDNS (including Deadwood) support requests sent by private email without being compensated for my time. A MaraDNS support request is any and all discussion you may wish to have about MaraDNS in private email; if you want to email me to talk about MaraDNS then, yes, that is a support request. I will discuss rates if you want this kind of support. Thank you for your understanding. MaraDNS security vulnerability reports, however, will be dealt with without charge and kept confidential. If you don't know what Bugtraq is, then, no, your email is not a security report. It is not a security report unless you've done due diligence to determine how the security bug you think you found can reasonably be exploited. From strenholme.usenet at gmail.com Fri Aug 13 19:31:26 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 13 Aug 2010 16:31:26 -0700 Subject: Deadwood 2.9.04 released Message-ID: Deadwood 2.9.04 released. This is Deadwood 2.9.03 with a couple of notable bugfixes: * Updated EDNS handling to treat EDNS packets as if the OPT record does not exist and we're getting a RFC1035 DNS packet. If the behavior of returning NOTIMPL to EDNS packets is preferred, this can be enabled by defining "STRICT_RFC2671_COMPLIANCE" when compiling Deadwood. * DNS queries are now case-insensitive, with case preserved for the query originally sent to Deadwood (just in case a stub resolver violates RFC1035 and is case sensitive) This is a beta-test release of Deadwood. The code has only been beta-tested for under a month and I want to get two full months of beta testing before declaring it stable. I really appreciate all of the bugs and issues Sebastian M?ller has reported and hope other people also test this software and report issues. Right now, the kinds of bugs I want people to look for and report in Deadwood are host names that do not resolve. If there is a host out there that correctly resolves in BIND or whatever, but doesn?t resolve in Deadwood, I want to know about it. I also want to know about any memory leaks people find in Deadwood. I welcome reports of crashes, but only if accompanied by a stack trace or recipe to reproduce the crash (ideally both). Valgrind errors are OK to report, but only if Deadwood is compiled with ?VALGRIND_NOERRORS? defined (export FLAGS='-g -DVALGRIND_NOERRORS' ; make from the src/ directory of Deadwood). I would love people to test IPv6 compatibility with Deadwood; the SQA regressions tell me Deadwood works with IPv6, but I would love reports from users on IPv6 networks to see if they are any real-world problems with it (IPv6 needs to be explicitly enabled when compiling Deadwood: export FLAGS='-O3 -DIPV6' ; make ). I am not aware of any hostnames that Deadwood can not resolve but other DNS servers can resolve. Deadwood 2.9.04 can be downloaded here: http://maradns.org/deadwood/testing/ - Sam From strenholme.usenet at gmail.com Sat Aug 14 15:04:53 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Sat, 14 Aug 2010 12:04:53 -0700 Subject: Deadwood 2.9.04 released In-Reply-To: References: Message-ID: > I am not aware of any hostnames that Deadwood can not resolve but > other DNS servers can resolve. Found one: www.bookride.com, but it?s aplus.net?s DNS servers giving out the broken DNS packets that confused Deadwood: $ dig @64.29.144.70 www.bookride.com ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @64.29.144.70 www.bookride.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10397 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.bookride.com. IN A ;; ANSWER SECTION: www.bookride.com. 3600 IN CNAME ghs.google.com. ;; AUTHORITY SECTION: google.com. 86400 IN SOA ns1.aplus.net. hostmaster.aplus.net. 1007 86403 3600 3600000 86400 ;; Query time: 304 msec ;; SERVER: 64.29.144.70#53(64.29.144.70) ;; WHEN: Sat Aug 14 01:18:15 2010 ;; MSG SIZE rcvd: 119 This is an invalid packet: It is marked as a NXDOMAIN (complete with a SOA record in the NS/Authority section), but it is actually a CNAME. I have updated Deadwood to treat these broken packets like ordinary CNAME packets. The snapshot can be downloaded here: http://maradns.org/deadwood/snap/ I also am trying to report this issue with aplus.net (I sent one report, got the runaround, and have sent another email to the address they referred me to). I don?t know what product they use for authoritative DNS, but it?s broken. - Sam From strenholme.usenet at gmail.com Sat Aug 28 13:58:49 2010 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Sat, 28 Aug 2010 10:58:49 -0700 Subject: Deadwood 2.9.05 released Message-ID: A little over a week ago, I released Deadwood 2.9.05. The two major bugfixes is that Deadwood now works with the malformed DNS packet seen when resolving www.bookride.com (aplus.net?s broken DNS servers), as well as working with ANY queries that point to CNAME records. In addition I have updated the documentation. I am, at this time, not aware of any domains that resolve with other DNS servers that do not resolve with Deadwood. It can be downloaded here: http://maradns.org/deadwood/testing/ - Sam