The Ask Mr. DNS Podcast

In this (recorded-just-before) Christmas episode, Matt and Cricket discuss the occupational hazards of church organists during the holidays, and then answer Ed Horley’s question about DNS64’s effect on DNSSEC, David Dunleap’s question about a special DNS setup that might be due to the use of load balancing, and Victor Tran’s question about whether he needs to sign all of his name server’s zones at once.  In the mean time, they reminisce over ancient and obscure methods of compressing and encoding files, and both react with dismay to the memory of driving in Cambridge, Massachusetts.

Download MP3 of this episode

In this episode, Matt and Cricket attempt to answer all nine of Jorge Fábregas’s “couple of questions” in a lightning round.  Then they swap war stories about all the travel they’ve been doing and have yet to do (implicitly offering excuses for the long gap between episodes), and finally – and inevitably – discuss Neal Stephenson’s new book, REAMDE.

Download MP3 of this episode

After hearing our answer in Episode 24 to Jorge Fábregas’s question about whether to allow ICMP messages to authoritative name servers, David Dagon submitted this insightful response:

On episode 24 of your “The Ask Mr. DNS Podcast”, you answered a question by Jorge Fábregas about whether to allow ICMP messages to an authoritative server.

Your answer (to allow ICMP) noted the convenience of ICMP and its utility in diagnosing server errors.  I would like to offer another rationale for allowing ICMP messages destined for authority servers.

If an attacker is attempting to poison your zone in a third party’s recursive (e.g., by spoofing your source address in  answer to an induced glue request), your authority will see ICMP blowback from the victim recursive for incorrect QID and/or SPORT guesses.  I.e., forged packets destined for closed UDP ports will result in ICMP(3,3) message from the victim recursive.

Informally, the authority hears distant echos of any brute force attack on a recursive.  Since ICMP messages typically contain the IP header and first 8 bytes of the offending UDP datagram, this is just enough payload to include the QID.  (Some OS even include more octets of the blocked datagram, permitting inspection of the QNAME).

Thus, one can monitor an authority for high volumes of ICMP messages, and infer the possible poisoning attempt on a 3d party recursive. Confirmation of the nature of the attack comes from the QID diversity (which may suggest a poisoning attack).  Of course, there still exists the possibility that even the ICMP messages were spoofed.  But if the 3d party victim is open recursive, one could even inspect the victim’s cache, iteratively asking for records in your zone, to confirm the success of the attack.

While brute-force DNS poisoning is (thankfully) rare in the post-Kaminsky world, and of concern only for high-value sites, there are still some episodes of cache poisoning.  This is yet another reason to allow ICMP traffic to authority servers.

Sadly, we didn’t think of this, but it’s an excellent reason to allow ICMP to your authoritative name servers.  And once again, we’re gratified and humbled to have such incisive listeners.

If you’re interested in reading more from David, we highly recommend a paper he coauthored, Corrupted Resolution Paths: The Rise of a Malicious Resolution Authority, about open recursive name servers that return deliberately incorrect answers.  Very scary.

In this episode, Matt (having dodged Hurricane Irene) and Cricket (having recently returned from South America) grovel and scrape after a nearly-three-month hiatus, then answer questions from Jorge Fábregas about whether to allow ICMP to authoritative name servers; from Donnie Carvajal about how to resolve a private, internal domain name; and from Leo Vandewoestijne about mismatched NS RRsets.  Along the way, they learn a nice trick from Leo about how to convey proper pronunciation to fellow Mac owners, lament their inability to pronounce their own surnames correctly, and probably cause Olafur Gudmundsson to spit coffee all over his laptop.

Download MP3 of this episode

If you’ve ever wanted to meet the men behind the mics, Matt and I will be speaking on a panel on DNSSEC at this year’s FOSE conference in Washington, D.C., from July 19th to 21st.  (We’re not speaking for three days, but the show runs that long.  We’re only speaking on Tuesday at 3:15.)

The other guys on the panel are no slouches, either:  Nate Meyer from F5 and Alan Clegg from ISC.

The folks who run FOSE have graciously offered to extend a 20% discount to our listeners, too.  For details, click here.

In this star-studded episode, taped at Dyn Inc.’s second annual “Inside Baseball” event, Matt and Cricket are joined by a “who’s who” of DNS luminaries.  They answer questions from Bob Harold (who previously received a tee shirt and does not want another) about whether CNAME records terminate a subtree of the namespace, from Warren Kumari about why a domain name that owns a CNAME record can’t own any other record types, from Wayne Ketterer about how to set up DNS so that a given domain name maps to one address internally and another externally, and from Canadian Todd about whether adding glue AAAA records is a good idea.  Then the collected luminaries throw a few “stump the chump”-style questions at Matt and Cricket – a little like shooting fish in a barrel. Tune in to see how well they fare.

Note that the audio isn’t quite up to even our low standards, despite the best efforts of Matt and Tom Daly of Dyn to smuggle decent recording equipment across state lines, but it’s certainly listenable.

Download MP3 of this episode

After a respite carefully timed to avoid the Ides of March, Matt and Cricket answer Brian Mazzocco’s question about the meaning of strange, possibly European symbols in zone data files; address John Shin’s question about how validating, recursive name servers handle aliases from signed zones to unsigned zones; and assess Gavin Brown’s suggestion for automatically bootstrapping DS records from a signed child zone into its parent.

Download MP3 of this episode

For the first time ever, Matt and Cricket have a guest host, Duane Wessels, recently of DNS-OARC and now at VeriSign.  Matt, Duane and Cricket answer Christoph Kluenter’s question about IPv6-only name servers, Rick Andrews’s question about how software distinguishes IP addresses from domain names, and Rainer Duffner’s question about whether Google is omniscient or just sneaky.  In addition, Matt demonstrates his formidable command of Stanley Kubrick’s “2001:  A Space Odyssey,” and both Matt and Cricket gush about author Neal Stephenson and his latest novel, “Anathem.”

Download MP3 of this episode