The Internet Society (ISOC) posted its views on DNS filtering. They are excellently summed up by the ISOC in a single phrase:
The real solution is international cooperation.
The reality though is that DNS filtering is here to stay. And it is here to stay because its initial deployment is far more easier than attacking the problem to its source via international cooperation.
So until DNS filtering (and supporting users mainly) starts costing Service Providers a lot, as in costing that much that it makes international cooperation cost less (even with the bureaucracy involved) it is a fact of everyday life that we have to get used to. Just imagine debugging not being able to access a single site, while at the same time all antivirus vendors run their own private, and allowed to be queried only by machines running their products (a “value added service”), resolvers.
Sad but true.
What is a Domain?
2011/08/28
Esther Dyson’s “What is in a Domain Name?” reminded me of the excellent and classic paper by Mark R. Horton, “What is a Domain?” written back in 1984. Although old, it is a classic you can share with people who want to start learning more.
Please do not mix CNAME and MX RRs
2010/11/10
From time to time I observe the following email setups, from web hosting providers mostly:
$ host -t mx example.com example.com mail is handled by 5 mail.example.com. $ host mail.example.com mail.example.com is an alias for www.example.com. www.example.com has address 192.0.2.2
In other words this is a single server that provides web and mail services, The devil is in the details though: mail.example.com is an alias for www.example.com. This is a mistake as when something is declared as a CNAME, it cannot have other resource records bound with it. I copy from DNS for Rocket Scientists:
CNAME RRs cannot have any other RRs with the same name, for example, a TXT – well that was true until DNSSEC came along and in this case RRSIG, NSEC and certain KEY RRs can now occupy the same name.
So the above setup is wrong. The correct setup would be the following:
$ host -t mx example.com example.com mail is handled by 5 mail.example.com. $ host mail.example.com mail.example.com has address 192.0.2.2 $ host www.example.com www.example.com is an alias for mail.example.com. mail.example.com has address 192.0.2.2
That is if you want to use a CNAME at all. Personally I am using A RRs instead of CNAMEs whenever possible. But why cannot a CNAME carry any other information? I copy from RFC1034 (section 3.6.2):
A CNAME RR identifies its owner name as an alias, and specifies the corresponding canonical name in the RDATA section of the RR. If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types.
So please people, correct your defaults. Your clients will benefit from that.
Firefox and IPv6
2010/07/21
So you’ve set up a tunnel with your favorite tunnelbroker (for example Tunnelbroker.net or SixXS) but Firefox still refuses to “see the light” and insists on an IPv4 web. You simply need to type about:config in the address bar and change network.dns.disableIPv6 to false.
A simple use of Google’s Public DNS servers
2010/07/02
Google Public DNS s a free, global Domain Name System (DNS) resolution service, that you can use as an alternative to your current DNS provider. The service’s DNS servers IP addresses are easily memorable even by end users (who the service aims to help most) and they are:
- 8.8.8.8 and
- 8.8.4.4
There are other uses for the service. Many system administrators use it for troubleshooting DNS problem in their infrastructure as an objective third party with a DNS view from “outside” their network (plus you can say to your manager that hey this is Google’s DNS view of this zone setup when nothing else helps).
Those of us who host domains, web sites and mail infrastructures have at times faced the problem that domains come and go somewhere else. However, domain owners / administrators / subcontractors / etc often neglect to inform the previous infrastructure that the domain has a new home. Then appears the phenomenon that most of the Internet knows how to access the web site (and where to route email) at the new home, with the exception of the previous ISP or hosting provider. Most of the times the previous hosting provider will find out when the contract runs out, which at times may take as long as 6 months (and I’ve seen longer times too).
In a few cases the previous hosting provider will find about the move because of complaints by its current customers who cannot reach the domain, the old customer complaining that there exist people who do not see the new site (but hey did you ever ask us to put it down?) or simply by pure chance.
In such cases as above the objectiveness of the Google Public DNS system can be of use to the DNS master who wants to maintain a clean setup. One can feed the following script with a file that contains one domain per line (the domains that you host) and ask Google who does it see as their designated DNS servers. In the old days one would ask a fellow admin at another ISP for shell access (I use SDF for similar purposes) or for query access. There is no need for that now :)
#!/usr/bin/perl
# This hack assumes that your nameservers are under the example.com domain
$ns = "8.8.8.8";
## $ns = "8.8.4.4";
while(<>) {
next if (m/^#/);
chop;
$domain = $_;
open DIG, "dig \@$ns $domain ns +short|" or die;
while(<DIG>) {
chop;
next if (m/\.example\.com\.$/);
print "$domain $_\n";
}
close DIG;
}
As is shown by the small script above the idea is pretty simple and can easily be customized to suite any local setup.
@dstergiou asked:
One way to check is to visit registrars that cover TLDs and ccTLDs (like EuroDNS or Gandi) and submit your query to their forms. However since (at least TTBOMK) none of them offers any query API to check programmatically, one can script his way to an almost complete solution. ICANN provides a list of all available TLDs and we can iterate over it:
#!/usr/bin/perl
## To grab the TLDs: wget -c http://data.iana.org/TLD/tlds-alpha-by-domain.txt
use Net::DNS;
$check = shift or die;
open F, "< tlds-alpha-by-domain.txt" or die;
while (<F>) {
next if (m/^#/);
chop;
push @tlds, $_;
}
close F;
foreach $i (@tlds) {
my $domain = $check . "." . $i . ".";
my $res = Net::DNS::Resolver->new;
my $query = $res->query($domain, "NS");
if ($query) {
## foreach $rr (grep { $_->type eq 'NS' } $query->answer) { print $rr->nsdname, "\n"; }
print $domain, "\n";
}
}
The above hack comes with three problems:
- It uses Net::DNS which makes it a little slow. There is room for improvement.
- It finds out about registered domain names that have domain name servers that answer queries about them. This is not always the case. For example in .GR one can register a domain without having it served.
- It also does not take into account strict domain hierarchies, like .co.uk, .net.uk, .org.uk but minimal changes are needed to test that too.
Somewhat incomplete as a solution, but adequate as a 5 minute hack for most purposes.
P.S. @stsimb offers a similar solution using dig:
“v=spf1 mx -all”
2010/05/20
It seems that a lot of web hosting providers are now using SPF in an effort to minimize spam that may seem to originate from their clients. Unfortunately many of them seem to use a default setup of “v=spf1 mx -all”. This configuration is interpreted as follows:
- v=spf1 This identifies the TXT record as an SPF string.
- mx The MX servers for the domain are allowed to send email that originates from the domain.
- -all No other servers are allowed to send mail originating from the domain.
To the uninformed user this setup creates delivery problems, unless he is provided with a port 587/tcp submitting email option by his webhosting / email provider. For when the user tries to send email using his ISP’s outgoing SMTP server, anyone honoring SPF records drops the email. And yes the hosting provider never hears about that because the user calls the first level support of the ISP who clearly cannot help him.
-all is a good idea only when you provide your customer with a port 587/tcp sending email option.
Note: This post was triggered by my frustration because of a similar case and the timely request of a reader of this blog to write something about SPF. To be honest, I do not consider SPF as an antispam solution since a spammer can have (and in fact many do) perfectly legal SPF records for domains that they own.
adnsrblcheck – RBL check via ADNS
2010/04/09
adnsrblcheck is a DNSBL check tool that I wrote sometime in 1999. At the time I had come across the ADNS resolver library and I wanted to try it out. So I grabbed a copy of rblcheck (then at version 1.4) and modified it to use ADNS instead of the standard resolver library.
Some time in 2003 Stephen Friedl grabbed adnsrblcheck.c, did his own modifications and released it back as arblcheck. He even provides a Windows port.
In December 2008, and while I was supposed to be performing ns2 simulations, I was struck by a severe case of structured procrastination which led to me picking up the tool again and doing some minor modifications. Eventually I pulled myself together, dealt with the deadlines and (almost) forgot about the tool. That is until today: adnsrblcheck, a DNSBL check tool using ADNS, is available again and you can grab it via subversion from here:
svn checkout https://rainbow.cs.unipi.gr/svn/adnsrblcheck
nslookup
2010/02/06
Από το INBOX μου:
Γιώργο,
Μπορώ να κάνω nslookup χρησιμοποιώντας άλλον dns π.χ. dns1.ΧΧΧΧ.gr ;Παλιά μπορούσα αλλά τώρα δεν μπορώ από κανέναν άλλο να δω πλην από ΥΥΥΥ. Γνωρίζεις κάτι;
Οι περισσότεροι ISP δεν επιτρέπουν recursive queries στους DNS servers τους “έξω” από το δίκτυό τους. Το (φιλικό) Internet όπως το μάθαμε έχει τελειώσει. Οπότε η αμέσως καλύτερη επιλογή είναι οι server του Google:
- 8.8.8.8 και
- 8.8.4.4
και όχι μόνο για DNS lookups, αλλά και για traceroute και ping.
PTR και multiple A RRs
2010/01/10
Ο Βαγγέλης έκανε στο twitter δύο ενδιαφέρουσες ερωτήσεις:
@hakmem ερώτηση: δεν είναι καφρίλα να ζήτας από SMTP να έχει και Valid RDNS;
και αφού του απάντησα πως δεν είναι:
Για να γίνει κατανοητό το γιατί, θα χρησιμοποιήσω το test case που δίνει ο Βαγγέλης. Έστω VPS με IP address 10.2.3.4 και όνομα server-vps.example.com. Έστω επίσης και 5 virtual domains που τρέχουν πάνω σε αυτόν, τα example-1.com έως και example-5.com. Κατά πως συνηθίζεται ο mail server για κάθε ένα από αυτά ονομάζεται mail.example-1.com, mail.example-2.com κ.ο.κ. Και οι πέντε mail server έχουν την ίδια ακριβώς IP address, την 10.2.3.4.
Όταν κάποιος θέλει να στείλει ένα email στον user@example2.com συμβουλεύεται το DNS για τα MX RR. Τα MX RR είναι η απάντηση στην ερώτηση “ποιος ξέρει να παραδώσει την αλληλογραφία προς χρήστες στο example2.com;”. Στο παράδειγμα η απάντηση είναι ο mail.example2.com. Στη συνέχεια συμβουλεύεται το DNS για τα A RR. Τα A RR είναι η απάντηση στην ερώτηση “ποια είναι η διεύθυνση του mail.example2.com;”. Θα λάβει την απάντηση 10.2.3.4 και στη συνέχεια θα κάνει τα προβλεπόμενα από το πρωτόκολλο SMTP ώστε να συνδεθεί και να παραδώσει την αλληλογραφία. Σημειώστε πως και τα δύο ερωτήματα που έγιναν στο DNS είναι παραδείγματα forward lookup.
Όταν σε κάποιον server συνδέεται κάποιος ώστε να χρησιμοποιήσει μια υπηρεσία που προσφέρει, το μόνο που ξέρει ο server είναι η διεύθυνση που χρησιμοποιεί ο αιτών. Τον “παλιό καλό καιρό” που το spam δεν ήταν πρόβλημα, ένας mail server θα δεχόταν οποιδήποτε μήνυμα από οποιονδήποτε και θα έκανε ότι μπορούσε για να παραδοθεί στον προορισμό του. Επειδή οι καιροί έχουν αλλάξει κανείς δεν είναι τόσο ανεκτικός και αρκετοί mail servers στα πλαίσια πολιτικών που εφαρμόζουν θέλουν να γνωρίζουν το όνομα αυτού που συνδέεται πάνω τους. Για να το κάνουν αυτό ρωτούν για το PTR RR που σχετίζεται με την συνδεόμενη IP address. Εάν το reverse delegation δεν είναι ορισμένο σωστά ή εάν δεν συμφωνούν το A RR για το όνομα με το PTR RR που δίνει το DNS για τη διεύθυνση, τότε είναι πιθανό η επικοινωνία να μη γίνει αποδεκτή και το email να μην παραδοθεί.
Παρόλο που κανείς μπορεί να οδηγηθεί στο συμπέρασμα πως πρέπει να υπάρχει ένα PTR για κάθε όνομα που κάνει χρήση της 10.2.3.4, αυτό που είναι απαραίτητο είναι ένα από όλα (οποιοδήποτε) να συμφωνεί με το PTR RR. Το ενδεικνυόμενο στη συγκεκριμένη περίπτωση, για διαχειριστικούς λόγους επειδή έχουμε να κάνουμε με virtual domains, είναι το PTR να δείχνει στο “πραγματικό” όνομα του server, δηλαδή στο vps.example.com. Ή όπως πιο απλά το έθεσε ο Γιώργος Κεραμιδάς:
Γυρνώντας πίσω στην απάντηση που έδωσα στην πρώτη ερώτηση του Βαγγέλη:
@vtripolitakis Όχι. Καφρίλα είναι να κόβεις με βάση το HELO/EHLO
Δεν είναι πρόβλημα να μην αποδέχεται κανείς τη σύνδεση επειδή δεν υπάρχει PTR record. Πρόβλημα είναι η μη αποδοχή σύνδεσης για προβληματικό HELO. Και αυτό γιατί τα RFC 1123, 2821 και 5321 το απαγορεύουν. Το RFC5321 γράφει:
However, if the verification fails, the server MUST NOT refuse to accept a message on that basis. Information captured in the verification attempt is for logging and tracing purposes.
Αλλά για την ιστορία του SMTP-HELO θα ακολουθήσει επόμενο post.
