The Ask Mr. DNS Podcast

If you have a question about DNS for Mr. DNS, he’d love to hear it. Drop him a line at mrdns@ask-mrdns.com.

In this episode, Matt and Cricket answer questions (some posed on Twitter – please welcome Mr. DNS to the 21st Century) from ErrataRob about Verisign’s DNS infrastructure, from devoted listener Yiorgos Adamopoulos on the value of DNS certifications, and from Frederic Cambus about zone file access programs.  And you’ll hear some of Matt’s and Cricket’s thoughts on espresso if you stay till the bitter (ha!) end.

Podcast: Play in new window | Download

In this, their inaugural episode for 2013, Cricket and Matt answer a question from the mysterious “Joe” (if that is his real name) about the differences between BIND’s stub zone and conditional forwarding features, prompting some reminiscing about the good old days of BIND 8.  This episode is the third in which we tackle questions from apparent long-time listener Yiorgos Adamopoulos, who wonders about the various features of dig and if Mr. DNS still writes code.

Podcast: Play in new window | Download

In this latest episode of our evidently-now-quarterly podcast, Matt and Cricket answer Donald Rudder’s question about how common the A6 record is and its effect on DNSSEC.  Then they discuss the upcoming change of d.root-servers.net’s IPv4 address and the implications of that change.  And despite having only one question to answer, they manage to take up the usual 30 minutes!

Podcast: Play in new window | Download

In this episode, Matt and Cricket finally throw in the towel and give up on promising podcasts on any regular schedule.  But they do manage to clear Mr. DNS’s mailbag, answering questions from Ismael Lezcano about the availability of good programming APIs for working with DNS and why BIND doesn’t have a good mechanism for creating and deleting zones dynamically; and from William Brown  about how to induce major registrars to support DNSSEC.

Podcast: Play in new window | Download

In this (much delayed) episode, Matt and Cricket discuss the folly of trying to hew to a podcast-publishing schedule, and answer (or avoid) questions from Sevan Janiyan and Yiorgos Adamopoulos on what operating systems and software the root name servers run; from Kent Shuey on why a device that implements only part of the DNS specs seems to work okay on his network; and from Todd Larsen (apparently of Danish descent) on where he can go to meet like-minded souls discussing current issues with DNS and DNSSEC (God help him) and whether DANE’s TLSA record can coexist with a CNAME record.

Podcast: Play in new window | Download

In this episode, Matt and Cricket answer Alan Frabutt’s question about the existence of recursive name servers that don’t honor TTLs – the “yeti” of recursive name servers – and Joe Conlin’s question about the right way to deal with abuse of your name server, and try to assist Louis Sterchi in his quest to learn more about DNS, registries and registrars.  And this last leads them on a trip down the Internet’s memory lane, reminiscing about the old days of DNS, before registries and registrars, back when subdomains of com, net and org were free.

Podcast: Play in new window | Download

In this (recorded-just-before) Christmas episode, Matt and Cricket discuss the occupational hazards of church organists during the holidays, and then answer Ed Horley’s question about DNS64′s effect on DNSSEC, David Dunleap’s question about a special DNS setup that might be due to the use of load balancing, and Victor Tran’s question about whether he needs to sign all of his name server’s zones at once.  In the mean time, they reminisce over ancient and obscure methods of compressing and encoding files, and both react with dismay to the memory of driving in Cambridge, Massachusetts.

Podcast: Play in new window | Download

In this episode, Matt and Cricket attempt to answer all nine of Jorge Fábregas’s “couple of questions” in a lightning round.  Then they swap war stories about all the travel they’ve been doing and have yet to do (implicitly offering excuses for the long gap between episodes), and finally – and inevitably – discuss Neal Stephenson’s new book, REAMDE.

Podcast: Play in new window | Download

After hearing our answer in Episode 24 to Jorge Fábregas’s question about whether to allow ICMP messages to authoritative name servers, David Dagon submitted this insightful response:

On episode 24 of your “The Ask Mr. DNS Podcast”, you answered a question by Jorge Fábregas about whether to allow ICMP messages to an authoritative server.

Your answer (to allow ICMP) noted the convenience of ICMP and its utility in diagnosing server errors.  I would like to offer another rationale for allowing ICMP messages destined for authority servers.

If an attacker is attempting to poison your zone in a third party’s recursive (e.g., by spoofing your source address in  answer to an induced glue request), your authority will see ICMP blowback from the victim recursive for incorrect QID and/or SPORT guesses.  I.e., forged packets destined for closed UDP ports will result in ICMP(3,3) message from the victim recursive.

Informally, the authority hears distant echos of any brute force attack on a recursive.  Since ICMP messages typically contain the IP header and first 8 bytes of the offending UDP datagram, this is just enough payload to include the QID.  (Some OS even include more octets of the blocked datagram, permitting inspection of the QNAME).

Thus, one can monitor an authority for high volumes of ICMP messages, and infer the possible poisoning attempt on a 3d party recursive. Confirmation of the nature of the attack comes from the QID diversity (which may suggest a poisoning attack).  Of course, there still exists the possibility that even the ICMP messages were spoofed.  But if the 3d party victim is open recursive, one could even inspect the victim’s cache, iteratively asking for records in your zone, to confirm the success of the attack.

While brute-force DNS poisoning is (thankfully) rare in the post-Kaminsky world, and of concern only for high-value sites, there are still some episodes of cache poisoning.  This is yet another reason to allow ICMP traffic to authority servers.

Sadly, we didn’t think of this, but it’s an excellent reason to allow ICMP to your authoritative name servers.  And once again, we’re gratified and humbled to have such incisive listeners.

If you’re interested in reading more from David, we highly recommend a paper he coauthored, Corrupted Resolution Paths: The Rise of a Malicious Resolution Authority, about open recursive name servers that return deliberately incorrect answers.  Very scary.

In this episode, Matt (having dodged Hurricane Irene) and Cricket (having recently returned from South America) grovel and scrape after a nearly-three-month hiatus, then answer questions from Jorge Fábregas about whether to allow ICMP to authoritative name servers; from Donnie Carvajal about how to resolve a private, internal domain name; and from Leo Vandewoestijne about mismatched NS RRsets.  Along the way, they learn a nice trick from Leo about how to convey proper pronunciation to fellow Mac owners, lament their inability to pronounce their own surnames correctly, and probably cause Olafur Gudmundsson to spit coffee all over his laptop.

Podcast: Play in new window | Download