This is what recursive DNS looks like these days.
It seems some people eventually break things by updating their authoriative Servers hence the Server Failure responses and then there are these suspicious NXDOMAIN spikes. I was not yet able to pinpoint who asks what there but those could very well be spoofing attempts coming from our clients.
Not that they had any chance of succeeding we’re running PowerDNS recursor and have uRPF is deployed on everything ingres, so no spoofing there.
So with the WIRED article its kind of official, the cache poisoning ‘bug’ leaked and its all too simple to implement.
As Dan Kaminsky told wired in their interview
My grandma’s going to be in the audience (at Black Hat). My grandma’s going to understand the bug.
and i bet she really will, if my daddy can understand IP routing without ever having touched a computer in his whole life Dan’s grandma can understand DNS spoofing, no problem.
So if you’ve not updated already please do that now, it’s urgent!
If you don’t believe me, just listen to Sarah again. ;)
Ok so maybe my blog will get some more hits if i blog about the recent ‘Massive, Coordinated Patch To the DNS Released ‘ as /. named it.
Let me just link to this recent article of the PowerDNS author Bert Hubert in which he reminds us that this recent ‘fix’ for what seems to be an all new issue is not all that new after all.
Come on people, you knew it all the time. There is the query ID which is at best 16 bits and, … well did you really never wonder about that highport BIND reserved?
Alright maybe you haven’t but it seems not all that hard to do:
Actually the very same Dan Kaminsky who is credited with having found this latest issue half a year ago encourages us geeks to go “explore DNS”. “Maybe I missed something” he writes. Well i for one have not yet discovered what he did to get <1s to poison a dns cache but apparently Dan is pretty convinced that someone is going to find out before his Blackhat talk where he wants to spill it.
Alright now these graphs i wanted to show you all the time and i couldn’t because RoR was playing up. grr
Anyway, here we are now.
The Semi Final 25th of June 2008 Germany vs. Turky
The Final on the 29th Germany vs. Spain
Note: It seems i will have to tweak the CSS a bit — while this looks nice its a bit dizzy ;-)
…for a trackback to Berts blog.
…that this RFC draft went on its way.
And yes, DNS antispam/antispoofing is a good thing to care about if you’re running recursive DNS Service for your customers and even if you only run it for yourself. Our everyday commercial email-Spammers apparently did not yet figure out how to achive this but trust me, they will — just as easy as they give our postmasters nightmares quite frequently.
UPDATE: There is also a web1.0 version of this document available. ;)
