[ale] Re: bellsouth DSL dropped last night

Fri Dec 7 09:15:46 EST 2007

Several factors affect the uptake of knowledge on DNS:

1) In most companies/organizations, only a small number of people do anything with DNS other than point at some elses server.
IMHO, this out of self defense, as it is quite easy to hose things up if you don't know what you are doing.

2) There are a nontrival number of people still using hosts files. This is, again IMHO, to avoid having to understand zone files and transfers.

3) lots of folks have DNS implementions based on Windows and active directory. Unfortunately (for undertrained Windows admins), there is no "DNS Wizard" to remind them of the necessary steps to set up DNS correctly.
If I had a nickel for every time I have seen windows admins not put in reverse lookup entries....

4) lots of folks don't understand the public facing vs. local facing DNS server concept.

5) lots of folks have DNS setups that sorta work.
5) Windows admins, are as a class, minimally trained and compensated - and you do get what you pay for. 

Are there any good tools for going in and evaluating a DNS setup after the fact?

Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Michael H. Warfield" <mhw at WittsEnd.com>

Date: Thu, 06 Dec 2007 20:48:37 
To:Atlanta Linux Enthusiasts <ale at ale.org>
Cc:mhw at WittsEnd.com
Subject: RE: [ale] Re: bellsouth DSL dropped last night

On Thu, 2007-12-06 at 20:05 -0500, Adrin wrote:
> Every notice how many ISP have primary and secondary DNSes on the same
> subnet?

	It's not just the ISPs.  Those are merely caching nameservers and, yes,
they should be dispersed and they should have ONE HELL OF A LOT MORE OF
THEM!!!!  But even Microsoft, couple of years ago, got their family
jewels kicked royally because they had all their public authoritative
name servers on a very small subnet.  Some chump^H^H^H^H^Hemployee
managed to screw up a table in the router from their public name servers
to their master (give them credit, they did at least THAT much right -
never make your master name server a public server) and after the TTL
failed to the slaves, all fall down go boom.

	The story continues on that, once they found the problem (the guilty
party had already left his shift before the shift hit the fan) and fixed
it (history is silent on what happened to the unfortunately individual
who committed this sin, when he got back) and got the name servers back
up (only a couple of hours down range), some enterprising individuals
just couldn't let the fun end there and launched DDoS attacks against
the routers that were the single point of failure.  Net result, several
days of downtime.  Now MS has their nameservers distributed through
Akamai.  Live and learn.  Sometimes the hard way.

	In both cases, at least one bcp (best common practice) RFC was
violated.  All to common.  It will happen again.

	That doesn't count the morons who let their registration lapse.

	I've been working on a paper (to be published in the IBN-ISS XFTIM,
X-Force Threat Intelligence Monthly) on "Toward a Robust DNS".  It was
originally suppose to be out this month but it's being pushed back to
next month because of the size (I'm way over the guidelines for that
channel), and because of a recent DNS survey, and because of this
incident.  Maybe I'll do this as a talk, at ALE or AUUG real soon.
Seems like some people need to be reminded of some basic principles some
of us old farts take for granted.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale