 |
baineschile
join:2008-05-10
Sterling Heights, MI | OpeNDNS The only way to go. | |
|
 | |
| | rob27
Premium
join:2008-07-16
Mary Esther, FL | Re: OpeNDNS there's also
4.2.2.2
4.2.2.3 which are level 3 hosted DNS sites. | |
|
| | | jester121
join:2003-08-09
Lake Zurich, IL
 ·ViaTalk
| Re: OpeNDNS Level 3 mentioned in passing (about the time the details on the cache poisoning proof of concept came out) that they would eventually be shutting off public access to their beloved and ubiquitous 4.2.2.x DNS servers.
That will be a very interesting day in the IT field, when we learn who's sloppy and who's not. | |
|
| | | | |
| | | | | jester121
join:2003-08-09
Lake Zurich, IL
·ViaTalk
| Re: OpeNDNS No clue about that, we run our own internal DNS. The thing is that Level 3's 4.2.2.x servers aren't "officially" open to the public like OpenDNS ones are, they've just been around forever and easy to remember. I use them occasionally for troubleshooting or if I need to go to an ISP website to fix someone's computer... | |
|
| | | | | | |
| | | | | | | |
| | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | kontos
xyzzy
join:2001-10-04
West Henrietta, NY
| said by kieranmullen  : I suspect that that is a result of sloppy reverse DNS management on Level3's part.
Verizon (gtei.net) doesn't seep to agree that those hostnames are theirs:
and the servers appear to indicate that they are managed by Level3:
| |
|
| | | | | | | | Raphion
join:2000-10-14
Samsara
| I have 4.2.2.4-5 as my DNS, but when I go to »entropy.dns-oarc.net/test/ it tells me my server names are:
1. 209.244.5.159 (ics2.Atlanta1.Level3.net)
2. 209.244.7.132 (unknown.Level3.net)
No gtei there. As I understand it, those 4.2.2.x addresses aren't actually server addresses, but rather, requests to those addresses are routed to the nearest available Level3.net DNS servers. | |
|
| | | | |
| | | | 
NetAdmin
join:2008-05-22
| said by jester121 :That will be a very interesting day in the IT field, when we learn who's sloppy and who's not. Or who can remember their ISPs DNS servers. 4.2.2.2 was such a great server because it was so easy to use during an initial setup when you didn't have easy access to your ISPs DNS addresses or just plain forgot the DNS server address.
--
---
Drilling for more oil is akin to giving a methhead the keys to the meth lab. | |
|
| | | | | |
| | 
jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
| said by NetFixer :said by baineschile :The only way to go. OpenDNS is certainly ONE solution, but it is definitely NOT the ONLY solution.  In fact, the DNS servers used by your ISP (Comcast) are also immune to the Kaminsky DNS vulnerability referred to in the article. That is correct.
Jason
--
JL
Comcast | |
|
| |
baineschile
join:2008-05-10
Sterling Heights, MI | Obviously there are plenty of alternatives, most which are safe. I just saw such an increase in page loading and java when i switched to OPEN DNS | |
|
AnonNane
@trit.net | 1 In 10 DNS Servers Vulnerable... I wonder if 1 in 10 Internet users know what this means?  | |
|
| |
DOStradamus
MVM
join:2003-11-04
Santa Rosa, CA
| Drinking Milk Leads to Heroin Addiction, Too! I stronly suspect that the over-simplified definition of "vulnerable" is leading to inflated figures to one degree or another.
I run my own DNS, AUTH for the handful of names I own, and purposely run it open/recursive. Why? I often need DNS access for troubleshooting purposes, for situations where the DNS servers a client is supposed to use can't be foundor determimned, and a couple others.
My DNS isn't vulnerable, however. Why? Along with DNS, I also run email, FTP,SSH,HTTP.and a few other services. I monitor them all for single-dight thresholds of failed logins, "404"s, and a dozen or so DNS lookups, that originate from the same /24 network. When "hit", a text message is sent to my cellphone alerting me about the door that's about to be slammed shut.
I'd love to see someone grab the Tarpit code from Iptables, and package it into a command where I can send an abusive connection to "Pico and Sepulveda"...
-NK
| |
|
| kontos
xyzzy
join:2001-10-04
West Henrietta, NY
edit:
November 11th, @11:05AM
| Re: Drinking Milk Leads to Heroin Addiction, Too! said by DOStradamus :My DNS isn't vulnerable, however. Why? Along with DNS, I also run email, FTP,SSH,HTTP.and a few other services. I monitor them all for single-dight thresholds of failed logins, "404"s, and a dozen or so DNS lookups, that originate from the same /24 network. When "hit", a text message is sent to my cellphone alerting me about the door that's about to be slammed shut. It is not the queries that will poison your cache, it's the answers. A well designed attack will get a trusted user to generate the initial queries (maybe via a webpage with a bunch of IMG SRC="" tags). | |
|
|
|
|
1 In 10 DNS Servers Vulnerable To Cache Poisoning
·
·
·
·
