Forgot your password?
typodupeerror

Comment: Re:Thoughts from MaraDNS' implementer (Score 1) 179

by MaraDNS (#43310513) Attached to: Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

TL;DR The grandparent complained about MaraDNS not having more features. He responded to my "show me the money" reply by saying "why should anyone pay you if you don't have more features". My reply: "Because DNS shouldn't be a monoculture".

(As an aside, I actually somewhat respect the parent poster because he does a reasonable job of articulating his points. His thinking is a little rigid and absolute "this is how it must be done" for my tastes, but he at least has clue, something becoming rarer and rarer as Slashdot slowly goes the way of the horse and buggy)

Another thing I forgot to add: Why use MaraDNS.

Since I have Karma to burn, and since it probably would be best if my Karma went to hell, discouraging me from wasting time on Slashdot, here's my thoughts on the negative moderations:

Sure, the first post came off as an ad. I wrote it too quickly, and I can see why a moderator didn't like it. I can also see why a moderator--perhaps the same one--didn't like the parent to this. A good number of Slashdot readers still live in that "everything should be free and no one has bills to pay since they all live in my mother's basement [1] like I do" neckbeard fantasyland probably don't like how I pointed out that it's going to take real money for MaraDNS to get DNSSEC or have rate limiting. They probably stopped there and moderated down (the post was also too long, but a long post deserves a long reply).

[1] In other cultures, multiple generations living under the same roof is normal; I feel the idea that a kid has to move out of the house at 18 to be a real man is one that is bad for families. It's actually in many ways good when a 45-year-old man still lives in his mother's basement, since he will become the one taking care of his aging mother instead of sending her to a nursing home.

OK, I'm out of Slashdot for the rest of 2013. I will not post here until the beginning of 2014. The moderators hath spoken and I really need to get out of the shithole Slashdot is becoming. MaraDNS is the past; it's time for me to make a new mark on the world!

Comment: Re:Thoughts from MaraDNS' implementer (Score 0) 179

by MaraDNS (#43310287) Attached to: Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

lack of EDNS support is a potential problem

"Potential" being the operative word. Truncated DNS packets still have enough information in them to answer DNS questions, and the only time I've really seen truncated packets is with some of the byzantine DNS packets Yahoo has.

DNSSEC support is critical

But not critical enough for someone to send me the money to make DNSSEC happen with MaraDNS: http://maradns.org/products.html It's really the same problem IPv6 has: All kinds of geeks talk about how great it would be if IPv6 were everywhere, but they don't put out the money for IPv6 to happen more quickly.

It's still possible to resolve domains and surf the web without DNSSEC. I know: MaraDNS 2.0 (Deadwood) is being used to resolve Slashdot.org (and all the other places I go) so I can make this posting. Yes, there are issues with someone with a packet sniffer forging DNS packets on the same network, and I do agree DNSSEC is needed on a larger network with infected machines, and is needed for a DNS server that calls itself secure, but it is working for me right now.

(For sites where forgery is a real problem, such as online banking, I use a special virtual machine and make sure the HTTPS certificate is kosher)

DNS resolvers should not be usable by the world.

Google, OpenDNS, and heck, Level3 disagree with you. That said, I mostly agree: That's why there are no examples in MaraDNS' documentation showing how to make a recursive nameserver globally resolvable, and why it has never been a default configuration in Mara.

Any DNS server that provides recursive DNS ought to not simultaneously provide authoritative DNS from the same service, or from the same IP.

That's the design MaraDNS 2.0 has: I removed the recursion from the "maradns" daemon and completely, from scratch, reimplemented recursion in a separate daemon, which has to run on a separate IP. Not one line of code is shared between the two.

I fully expect any government or corporate grants will go towards DNS server implementations that are more widely used

I understand your sentiment, but, software monoculture is a bad thing and software diversity is a good thing.

When DNS first showed up in the 1980s, there were a number of different implementations. By the time I started MaraDNS 12 years ago, there was only one usable open-source DNS server out there. When I finished MaraDNS, there were five or six (depending on whether Unbound/NSD counts as one or two) different actively maintained significant open-source DNS servers out there. That number has since gone down (none of the djbdns forks came out with a release that fixes CVE-2012-1191). I hope that number continues to be higher than one.

An attitude of "let's only support one DNS server" can return us to the world of a DNS monoculture. EDNS, DNSSEC, and all of these extensions to DNS do not help.

I don't like how CSS, Javascript, and HTML have become such a mess that it requires multi-million dollar grants to keep a browser current, and where Opera finally threw in the towel because they just couldn't keep up with the nonstop update treadmill browsers are on. Dillo doesn't even try to be current (I think they made a mistake trying to support CSS at all, but that's another discussion for another day).

While I disagree with DJB on a lot of things, I understand why he rejected DNSSEC and proposed DNSCURVE: He wanted to keep DNS simple, to keep DNS something that a single talented developer can implement in their spare time.

For better or for worse, DNSSEC won, and now DNS is no longer can practically be implemented by a one-man show any more.

PowerDNS

I agree PowerDNS is a good choice, especially for people who want a database back end, but I'm disappointed it took them over a year to patch CVE-2012-1193 (which only affects the recursor).

not to discount MaraDNS, but it seems like a dead-end

You know, I tend to agree with you. Software has a lifecycle, and MaraDNS is probably near the end of hers. I still will fix bugs, and I will still make sure MaraDNS is usable on the internet for the foreseeable future, and as IPv6 slowly becomes the norm, I will probably make sure Mara is still usable with all of IPv6's changes (IPv6 has been implemented but not fully tested). But, without DNSSEC, EDNS, and whatever else they throw in the DNS kitchen sink, MaraDNS will probably become more and more dated as the 2010s go on.

But, you know, I made my mark on the world and I made my contribution to open source. I'm very proud of what I did, and how I was a big part of breaking the DNS monoculture of the early 2000s.

What's your mark on the world? What can you point to and say "I made this, this is what I have contributed to this planet"?

Comment: Re:Article is garbage (Score 1) 179

by MaraDNS (#43308165) Attached to: Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks
Out of all those though, rate limiting seems to make the most sense and is the lesser of the evils.

Except for the fact that some DNS servers do not have rate limiting nor the funds to implement rate limiting (it's non-trivial to implement), you're right.

In my case, without EDNS support, the highest amplification factor my DNS server has is 23x (as opposed to the 100x+ EDNS servers have). Also: My server doesn't have open recursion enabled by default.

Comment: Thoughts from MaraDNSâ(TM) implementer (Score 0) 179

by MaraDNS (#43308103) Attached to: Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks
As the implementer of MaraDNS, here are my thoughts:
  • 1) MaraDNS 1 and Deadwood do not support a technology called "EDNS" that allows for large DNS packets. By only supporting 512-byte packets, both DNS servers do not allow for the 100x amplification used in this DDOS that other DNS servers have.
  • 2) My DNS software does not come with unrestricted recursive access enabled by default, and the documentation strongly discourages open recursion.
  • 3) I will have to double check, but, as I recall, the documentation and example configuration files do not include an example with unrestricted recursive access.

One feature that would be nice would be to be able to restrict how much data my DNS server sends to a given IP (again, as noted above, MaraDNS/Deadwood already has a form of this because they do not support EDNS). Unfortunately, since I am not developing new features for MaraDNS like this without being compensated for my time, I would need a corporate or government grant to implement this. TANSTAAFL

Comment: Re:My opinion (Score 4, Interesting) 69

by MaraDNS (#43259585) Attached to: ICANN Reveals Regional Winners of New gTLDs

I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?

If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.

If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.

Comment: Re:This story is ... (Score 1) 101

by MaraDNS (#43217287) Attached to: Google Implements DNSSEC Validation For Public DNS
You're right of course; it's just not possible to fully describe the differences between DNSSEC and DNScurve in a 250-word summary written for people who think DNS is just some "boring subject". I chose readable over "pedantically accurate", along with a disclaimer that some details were lost in the interest of brevity and readability.

Comment: Re:This story is ... (Score 4, Interesting) 101

by MaraDNS (#43216647) Attached to: Google Implements DNSSEC Validation For Public DNS
DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.

Back then, there were two DNS servers out there:

  1. BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
  2. DJBDNS, which was and by and large is secure, but had a weird maybe-not-open license and lots of quirks

LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)

The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.

(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)

(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

Comment: Quick thoughts from a DNS implementer (Score 1) 313

Really quickly:

  • DNScurve, as pointed out above, doesn't do nearly as much as DNSSEC does. In particular, DNScurve still allows "NXDOMAIN recirection" but DNSSEC doesn't. In addition, Bind, NSD, Unbound, and PowerDNS (non-recursive) have DNSSEC support, but there is not a mainstream DNS server out there with DNScurve support.
  • djbdns hasn't been updated since 2001 and even the unofficial forks do not have patches for all three CVE security holes in DjbDNS. Since DjbDNS' goal was security, I consider it abandoned until someone makes a fork fixing all of the known security problems.
  • There are ways to make blind DNS spoofing almost impossible without needing to add complex cryptography. Crypto, however, is needed when the attacker can watch the DNS packets that the victim sends.
  • I would love to implement DNSSEC for MaraDNS, but I would need $50k US to pull it off. I would like make it a kickstarter project, but I think people would rather just use Unbound/NSD (which, unlike MaraDNS, was funded with a government grant) instead of throwing money my way.

Comment: Ironic this made a front page story (Score 1) 412

by MaraDNS (#40677071) Attached to: The Web Is Not the Internet

It's ironic this is a front page story, because a few months ago I got in a pointless flame war over here at Slashdot over this very point (when, after going to a lot of effort to make a useful comparison of DNS servers, some pedant got upset that I used an analogy treating the Internet like the World Wide Web):

http://slashdot.org/comments.pl?sid=2620802&cid=38696276

Comment: Re:8.8.8.8 (Score 1) 193

by MaraDNS (#40114493) Attached to: Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9
djbdns has not been updated since 2001 and even the unofficial forks have not addressed important issues like the security problem CVE-2012-1191.

If you want DNSSEC and don't want BIND, your only other open-source option is Unbound; MaraDNS doesn't have DNSSEC either, and PowerDNS only has it for the authoritative code.

You have a tendency to feel you are superior to most computers.

Working...