×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

High Severity BIND Vulnerability Advisory Issued

CmdrTaco posted more than 3 years ago | from the put-on-your-hard-hat dept.

Security 144

wiredmikey writes "The Internet Systems Consortium (ISC) and US-CERT have issued a high severity vulnerability warning, discovered by Neustar, which affects BIND, the most widely used DNS software on the Internet. Successful exploitation could enable attacker to cause Bind servers to stop processing all requests. According to the disclosure, 'When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

144 comments

latest BIND not affected (5, Informative)

doperative (1958782) | more than 3 years ago | (#35290324)

"There have been no active exploits known, and versions 9.7.1-9.7.2-P3 versions of BIND are affected. US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3 "

Re:latest BIND not affected (0)

Anonymous Coward | more than 3 years ago | (#35290628)

Just upgrade to tinydns/dnscache and forget about security bugs...

Re:latest BIND not affected (1)

causality (777677) | more than 3 years ago | (#35291888)

Just upgrade to tinydns/dnscache and forget about security bugs...

Yeah, this surprised me just about as much as an exploit for Sendmail.

In other unrelated news, users of Windows, IIS, and IE have more malware problems than users of OpenBSD.

Re:latest BIND not affected (1)

perbert (241785) | more than 3 years ago | (#35293042)

Just upgrade to tinydns/dnscache and forget about security bugs...

Or to MaraDNS or powerDNS, with the same result, but no legacy DJB BS...

Re:latest BIND not affected (3, Informative)

Bacon Bits (926911) | more than 3 years ago | (#35290992)

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?

CERT was notified at the end of January.
"Date Notified: 2011-01-24" [ http://www.kb.cert.org/vuls/id/559980 [cert.org] ]

The CVE was reserved in the middle of January.
"Assigned (20110111)" [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0414 [mitre.org] ]

Yet the release notes for 9.7.3 don't mention any fixes which would coincide with this vulnerability:
http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html [isc.org]

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that. That's awesome security procedure there.

Re:latest BIND not affected (4, Informative)

Ethanol (176321) | more than 3 years ago | (#35291416)

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released.

That's not correct. The locking bug had already been fixed in 9.7.3b1, a month before it was found to be exploitable as a DoS. When we did find that out, we consulted with vendors and decided to continue with the releases in progress.

Re:latest BIND not affected (0)

Bacon Bits (926911) | more than 3 years ago | (#35291632)

I see, it was originally just a locking bug. That makes it easier to find a likely candidate in the Release Notes:
"Corrected a defect where a combination of dynamic updates and zone transfers incorrectly locked the in-memory zone database, causing named to freeze. [RT #22614]"

Even if I do believe you, why did you wait so long to notify the community of the DoS vulnerability?

Re:latest BIND not affected (3, Informative)

Anonymous Coward | more than 3 years ago | (#35291946)

We notified our forum members as soon as we understood the full scope of the issue, key operators/vendors the next day, and the general community one week later, as per our Security Disclosure Policy: http://www.isc.org/security-vulnerability-disclosure-policy.

Re:latest BIND not affected (1)

lshapiro (2002372) | more than 3 years ago | (#35292030)

Sorry, that was me, Larissa Shapiro, ISC product manager.

Re:latest BIND not affected (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35292200)

So, BaconBits - are you going to publicly retract your statements impugning BIND's process?

You made some very harsh judgement, evidently without any research into backup said accusations - IMO, you owe an apology. [I'm posting AC since I don't want to be attacked publicly either, but I have NO association with BIND or any Linux development at all. I'm simply one who uses BIND and Linux servers. Really, I'm just a sysadmin.]

Re:latest BIND not affected (5, Insightful)

pclminion (145572) | more than 3 years ago | (#35292278)

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that

You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix.

Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.

Re:latest BIND not affected (0)

afabbro (33948) | more than 3 years ago | (#35292418)

You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix. Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.

Just as you need to get a grip on your CAPS LOCK key.

Is there any distro that has this vulnerability? (0)

jbrax (315669) | more than 3 years ago | (#35291100)

According to RHEL CVE database [redhat.com] RH distros are not vulnerable. "This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."

highest infant FATALITY vulnerability alert issued (0)

Anonymous Coward | more than 3 years ago | (#35290400)

never a better time to get connected? see you there?

Many companies avoid using networked nameservers. (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#35290502)

This is not well known, but every computer connected to the Internet is capable of being its own nameserver.

Through an obscure file called hosts.txt, it is possible to store a list of domain names. Next to these names, the IP (Internet Protocol) address of the computers they represent can be added. In this fashion, all network name lookups can be self contained, or performed from the computer itself.

Professional consultants understand that an alternative to nameservers is thus possible by creating a list of machines a company may reach, then circulating that list to the company computers using P2P (peer-to-peer) filesharing. Not only does this avoid the vulnerability present in relying on yet another redundant server for basic network operations, but it also permits the company to defacto limit the webservers that employees may visit.

Re:Many companies avoid using networked nameserver (1)

gpuk (712102) | more than 3 years ago | (#35290622)

I'd hardly call hosts files obscure...

Also, restricting name resolution to host file only does not "defacto limit the webservers that employees may visit" as this file is never consulted if the user decides to access a webserver via its IP address.

Re:Many companies avoid using networked nameserver (2)

mcneely.mike (927221) | more than 3 years ago | (#35292562)

I'd hardly call hosts files obscure...

Tell that to my wife (and the billions of windows users who starts to shake and cough just like the old man in that book by Nabakov) everytime i say "Why don't you just open another tab instead of going back and forth between web pages?"
Her response is, "I don't know what you mean!"

Re:Many companies avoid using networked nameserver (1)

pipatron (966506) | more than 3 years ago | (#35290676)

No, entries in the hosts-file doesn't make your computer into a nameserver. They do however override the system lookup so that you don't have to use a name server for this.

HOSTS files & /.? LOL, trust me: It's WELL kno (-1)

Anonymous Coward | more than 3 years ago | (#35290716)

"This is not well known, but every computer connected to the Internet is capable of being its own nameserver. Through an obscure file called hosts.txt, it is possible to store a list of domain names. Next to these names, the IP (Internet Protocol) address of the computers they represent can be added. In this fashion, all network name lookups can be self contained, or performed from the computer itself. Professional consultants understand that an alternative to nameservers is thus possible by creating a list of machines a company may reach, then circulating that list to the company computers using P2P (peer-to-peer) filesharing. Not only does this avoid the vulnerability present in relying on yet another redundant server for basic network operations, but it also permits the company to defacto limit the webservers that employees may visit." - by Anonymous Coward on Wednesday February 23, @10:38AM (#35290502)

See these here:

---

http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]

http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]

http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1891254&cid=34403798 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1905218&cid=34514626 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1907528&cid=34535412 [slashdot.org]

http://it.slashdot.org/comments.pl?sid=1916240&cid=34612834 [slashdot.org]

http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34714024 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532574 [slashdot.org]

---

As just some " examples thereof"...

(&, for SOME reason? They seem to HATE me for posting about HOSTS files, for whatever reasons, whenever I posted about it (extolling its virtues on MANY grounds (better speed, security, & even anonymity to a degree, online)).

Yes, I get "mod ups" for it, but not usually.

APK

P.S.=> It's a way, but I only consider it a valuable aid for more speed (via hardcodes as you alluded to of the IP Address-to-Host/Domain name equation), more security/anonymity (using hardcoded to avoid DNS request logs), & also more security vs. KNOWN bad sites/servers etc. (by blocking them off, in essence, using the hosts as a "blacklist")... it's a valuable AID to speed, anonymity, & security online, but... it's not the "total end all/be all answer" either... but it beats browser addons, because they only usually protect certain browsers, or email programs (where the HOSTS file works for them all, for the purposes I noted above now, "universally" across-the-board, & on ANY Operating System that uses a BSD based IP Stack)... apk

Re:Many companies avoid using networked nameserver (1)

gpuk (712102) | more than 3 years ago | (#35290718)

I'd hardly call hosts files obscure...

Also, restricting name resolution to host file only does not "defacto limit the webservers that employees may visit" as this file is never consulted if the webserver is accessed via its IP address.

Re:Many companies avoid using networked nameserver (1, Insightful)

skids (119237) | more than 3 years ago | (#35290750)

This is not well known, but every computer connected to the Internet is capable of being its own nameserver.

This is in fact fairly well known among the people who need to know these things. Also the hosts file is no substitute for DNS. It cannot, for example, give you MX records, cannot perform round-robin load balancing, and even if the sync of the hosts file is very quick, is not a suitable way to deal with the fact that name to ip mappings change frequently. Anyone who set things up as described above would be committing malpractice.

Some of your points = moot to most people & wr (-1)

Anonymous Coward | more than 3 years ago | (#35291376)

"Also the hosts file is no substitute for DNS." - by skids (119237) on Wednesday February 23, @11:02AM (#35290750) Homepage

It can work against the problem this article notes though, in DNS poisoning/redirect/misdirect, though easily enough!

HOSTS are a GREAT SUPPLEMENT to DNS, especially when it screws up or has bugs... & this article pointing this out? FAR from a first on DNS issues (over the past 30 yrs. now!)

---

"It cannot, for example, give you MX records" - by skids (119237) on Wednesday February 23, @11:02AM (#35290750) Homepage

Like you said: "to the people that need to know these things", which is what? Less than .001% of users out there, & really only network admins (MAYBE techies)?? They're the only ones that need mail info. anyhow!

---

"cannot perform round-robin load balancing" - by skids (119237) on Wednesday February 23, @11:02AM (#35290750) Homepage

Well, you can "load balance" erroneous information all you like... but, it's STILL erroneous info., period... & DNS poisoning, redirect/misdirecting? Happens & has happened QUITE A LOT the past decade especially!

HOSTS can offset/immunize you vs. that in fact, because HOSTS are a good supplement to DNS, & that's that.

---

"and even if the sync of the hosts file is very quick" - by skids (119237) on Wednesday February 23, @11:02AM (#35290750) Homepage

It is, via logon scripts, for example (which is when it matters most - when a client on a network node goes to use his system)...

---

"is not a suitable way to deal with the fact that name to ip mappings change frequently." - by skids (119237) on Wednesday February 23, @11:02AM (#35290750) Homepage

Uhm, how often does that happen? Not very, & IF it does?? You're DOING IT WRONG & inefficiently for typical setups!

APK

P.S.=>

"Anyone who set things up as described above would be committing malpractice." - by skids (119237) on Wednesday February 23, @11:02AM (#35290750) Homepage

Ok, care to debate what I wrote in response to your replies then? The OP parent poster may have worded things a bit wrong (e.g. "hosts.txt" when it's actually HOSTS & no extension etc.), but, he's NOT that "far off base" & I can specifically point to where YOU, in fact, are... or you are exaggerating things! apk

Re:Some of your points = moot to most people & (2)

djdanlib (732853) | more than 3 years ago | (#35292032)

I am not one of the ACs in this thread. That being said, I have some background and experience in network administration in environments from SOHO to global enterprises.

Now, please detail how you'd set up an automatic and redundant P2P distribution network for a HOSTS file including your mechanism for securely updating said HOSTS file from a location of your choosing, and explain how your solution is more efficient than your company's infrastructure's DNS systems. If you allow updates from anywhere other than a central location, what happens when malware on a personal computer alters the HOSTS file - does it cause an erroneous update to be pushed out to the group? Can you ever tell that the one computer is stale? Would you push the updates on demand only, or every X minutes/days?

You're clearly talking about a business use of some sort here. Have you done this in a business environment? How large? How did you convince them to allow you to override DNS with myriad HOSTS files? Have improvements in their network infrastructure superceded your solution, perhaps without your knowledge?

The only benefit to having a HOSTS file distribution like that might be that it could be distributed faster than your DNS can replicate changes via a push or pull mechanism, although in a modern enterprise environment DNS changes should be able to propagate in minutes if not seconds.

Once a system is removed from that HOSTS file distribution, or the distribution fails because a server dies or a network link is broken temporarily, or a user does something that causes their personal machine to stop receiving changes, then you have stale HOSTS files everywhere conflicting with your DNS. How do you propose to clean that mess up?

DNS should at least be set up such that (in no particular order):
1) It is very redundant (multi-homed) and thus robust/reliable
2) Administrators can control it and add/alter/remove records
3) Replication is fast
4) The source of changes can be verified or at least identified
5) Poisoned updates from the untrusted wilds can be rolled back and audited once they have been identified

How often do you have significant DNS bugs whose actual (not theoretical) impact and resolution outweighs the implementation cost (time and money) of your custom HOSTS distribution solution? I propose that this scenario does not exist, but someone has created this alternate solution "just in case" which just smacks of the 1980s rather than learning how to correctly administer their DNS infrastructure. Either that, or someone is upset because they weren't permitted to alter the corporate DNS the way they wanted / anonymously, and became the squeaky wheel and pitched their solution to execs in the business who don't know the difference between a CPU and a chassis. (Nor should they have to, it's not their job.) These are possibilities, perhaps not accurate. However: None of these are acceptable for a network administrator. All network admins should be seeking ways to improve their DNS setup, staying on top of the state of the art, and using HOSTS files *only* when appropriate.

HOSTS files do have uses.
* Null-routing a server that's been causing some isolated issue, such as an ad server or some other server that your software times out waiting for; Also, null-routing a server to prevent a new software package you're testing/developing from reaching a production server
* Rerouting a name to your local development environment while debugging or developing software
* Guarantee resolution of key server names on a portable demo workstation that often finds itself on different private networks

I think you need to chill out a little bit, regardless. There's entirely too much angry excitement in this thread, and there's a lot of arguments that seem to stem from personal experiences with isolated situations from the distant past that basically never happen in a properly configured environment, and don't cause the kind of disaster that they are imagined to cause. Let's try to stay calm, civil and professional on a public technology website.

Can't you read? I wouldn't USE P2P to update HOSTS (0)

Anonymous Coward | more than 3 years ago | (#35292066)

Now, please detail how you'd set up an automatic and redundant P2P distribution network for a HOSTS file including your mechanism for securely updating said HOSTS file from a location of your choosing, and explain how your solution is more efficient than your company's infrastructure's DNS systems" - by djdanlib (732853) on Wednesday February 23, @01:17PM (#35292032) Homepage

I am not the OP/parent here, I am APK (I post as AC here all the time & "sign off" @ the termination of my posts as "APK", so you know). You should look thru my other replies here, because you're now sitting there with egg on your face accusing me of something I never said, & in fact, something I disagree with myself (using P2P to update HOSTS). Logon scripts work for that, easily!

You have me confused with the other fellow... I update HOSTS on LAN/WAN setups using logon scripts!

APK

P.S.=> If you'd have read PROPERLY? You'd see that I recommended using Logon Scripts for HOSTS files updates... & yes, I have done this in ENTERPRISE class scenarios with 100's of users in fact! apk

Re:Can't you read? I wouldn't USE P2P to update HO (2)

djdanlib (732853) | more than 3 years ago | (#35292166)

I addressed my post incorrectly. I was replying to the thread as a whole, which was not correctly conveyed.

Logon scripts that copy from where?

Still, it wouldn't kill you to be civil.

I am being civil man, just telling truth (0)

Anonymous Coward | more than 3 years ago | (#35292284)

"I addressed my post incorrectly. I was replying to the thread as a whole, which was not correctly conveyed." - by djdanlib (732853) on Wednesday February 23, @01:32PM (#35292166) Homepage

Fair enough... try not do it again I suppose! LOL, that made you look pretty poorly, but fair enough.

(Again, stressing it, as I did to others here: Logon scripts can do the job updating a HOSTS file... which work vs. DNS poisoning redirectes bigtime, & are easily updated + distributed, via logon scripts (when it matters most, when a user signs onto a machine to use it)).

APK

P.S.=>

"Logon scripts that copy from where?" - by djdanlib (732853) on Wednesday February 23, @01:32PM (#35292166) Homepage

From your fastest server I suppose (that's how I went about it in LAN/WAN scenarios)... OR, there ARE other methods, other than logon scripts!

E.G.-> See MVPS.ORG (they make a pretty "famous" HOSTS file, much smaller & less comprehensive than mine, but well known).

They have a tool for it (I built one myself years before it in fact, but I use it only for my personal uses, APK Hosts File Grinder 4.0++)...

Anyhow/anyways - See this page:

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]

Look for "HOSTSMAN" there...

I.E.-> it is capable of doing remote HOSTS file updates in fact, & from a VERY "reputable & reliable" source, mvps.org!

---

"Still, it wouldn't kill you to be civil.." - by djdanlib (732853) on Wednesday February 23, @01:32PM (#35292166) Homepage

I am, per my subject-line...

I only stated fact when I said you're sitting there with "egg on your face" accusing me of stating I was using P2P setups to update HOSTS files is all... because I never said it!

Fact is, the post you replied to of mine? Even has me SAYING I used logon scripts to update hosts in networked environs! You "skimmed over" that... fact! apk

Re:Can't you read? I wouldn't USE P2P to update HO (0)

Anonymous Coward | more than 3 years ago | (#35292496)

Do not get in Internet argument with APK he's really volatile and might issue you a standing death threat over it:

http://forums.techpowerup.com/showthread.php?p=283463#post283463 [techpowerup.com]

Distinct posting style especially key giveaway P.S.=> indicates this is same APK: http://forums.techpowerup.com/search.php?searchid=13405991 [techpowerup.com]

Beware the investigative powers of the anonymous Internet, and don't post thing publicly you wouldn't want us to find...!!!

Why do they host 2 of my wares then? (0)

Anonymous Coward | more than 3 years ago | (#35292678)

If I am "so bad"? Then why does TechPowerUp still host my software there then??

E.G. #1:

APK Registry Cleaning Engine 2002++ SR-7:

http://www.techpowerup.com/downloads/389/APK_Registry_Cleaning_Engine_2002++_SR-7_.html [techpowerup.com]

E.G. #2:

APK Matrix ScreenSaver:

http://www.techpowerup.com/downloads/390/APK_Matrix_ScreenSaver.html [techpowerup.com]

?

(iirc, they're even MORE DOWNLOADED in the categories they're in, than WinZip there even!)

Plus, anyone can sign off as anyone... & for all I know? Someone impersonated me, yet again, there (like they have here, many times, or at arstechnica where they did so as well & got caught in it (Jeremy Reimer specifically)).

APK

P.S.=> SO, you can TRY to go "off topic" & try to discredit me, but you're not doing well @ it... In fact, I've noted that when folks have to go "off topic" in replies?? They KNOW they've lost the debate... apk

Re:Why do they host 2 of my wares then? (1)

djdanlib (732853) | more than 3 years ago | (#35292844)

Ugh, there are some bored forum trolls and they are out in force today. It looks like they did a drive-by on our conversation. Either that, or someone involved in that forum happened across this. If you're trying to say it was me trying to discredit you... how do I know it wasn't you setting up that accusation? I don't know. Whatever the case, I don't especially care for it.

I followed those links and guess what I see there... if that's you, you tend to know what you're talking about, although you get more impassioned than other people might. (See, if you weren't posting AC, I might have been able to do that with your Slashdot comments.) Looks like the troll backfired, didn't it? If it's not you, they did an excellent job impersonating you and making you look good up to the end, and you should probably do some damage control. If it is you, then you should own up to your mistakes and move on.

All I ever wanted was to say "there are better ways to do what you guys are talking about than dumping hosts files everywhere" and see if you'd thought of something I hadn't, and I was hoping the person you were replying to would get on board as well. It's clear that you're not in this for an exchange of ideas, so I'm not going to participate any further in this thread that's devolving into a flame war / troll-a-thon. It's a shame when Slashdot turns into this sort of mess. Better luck next time!

That there are, ignore them... apk (0)

Anonymous Coward | more than 3 years ago | (#35292998)

"if that's you, you tend to know what you're talking about" - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

Thank you. We DO try! I didn't follow the links posted, because it's obivously trolls around here (as you yourself noted).

---

"It's clear that you're not in this for an exchange of ideas" - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

Why, sure I am... I showed you 2 diff. ways to remotely update a HOSTS file, reliably & from reputable sources!

MVPS.ORG (manually, or via the HOSTSMAN program)

or

Using logon scripts

I just wanted to make SURE you knew I wasn't the OP/parent poster that noted using P2P was his way of updating a HOSTS file (but, it's NOT like THAT's "undoable" either... it's just that using logon scripts on a LAN/WAN is better, imo @ least).

---

"Ugh, there are some bored forum trolls and they are out in force today." - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

LOL, yes there are... I get this regularly, I am QUITE used to it! The problem with some of these wannabe "geeks" is that they cannot handle it when they're off/wrong... & they follow + stalk you online, endlessly.

I don't mind it though, not really... why? Well - I just shoot them down with facts, everytime, & usually it's VERY easy to do (as I usually say, that pisses them off to NO end?? "too, Too, TOO EASY - just '2EZ'")

---

" It's a shame when Slashdot turns into this" - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

I agree, but, don't let it bother you... then again, I am used to being trolled, perhaps you are not (& I was not trolling you - I merely pointed out you made a mistake saying I used P2P to update hosts, & I showed you I do not )

APK

P.S.=>

"although you get more impassioned than other people might." - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

Sometimes I do, sometimes I don't... it mostly depends if I am attacked first is all, then I come out "all guns blazing"... Hey - only human here & defending myself is all. I have every right to that much.

However - I have been impersonated online, many times here on this site in fact (because I post AC), & even by well-known sites (e.g. arstechnica) + their personnel (which astounded me, but that's THEIR "Geek Angst" working against them is all - they most likely regret it later I imagine).... apk

Hey, Pete (0)

Anonymous Coward | more than 3 years ago | (#35292568)

Pete, you're a troll and a moron. You made a complete ass of yourself here [thorschrock.com] and you continure to do so in this forum.

Are you on topic, troll? Ty Tymkovich says HI (0)

Anonymous Coward | more than 3 years ago | (#35292722)

"Pete, you're a troll and a moron. You made a complete ass of yourself here and you continure to do so in this forum." - by Anonymous Coward on Wednesday February 23, @02:04PM (#35292568)

Since you're off topic & trolling me? What's good for the goose, is good for the gander... here we go, tit for tat:

Thor SCHMUCK? LOL, tell him that his buddy Ty Tymkovich says hello... ok??

(Gee, I just WONDER (not) who sent Ty Thor's way... lol!)

$5,000 Thor SCHMUCK got absolutely SUCKERED for by Good Ole' Ty (someone should nominate him for sainthood imo, lol), after Thor libelled myself?

Serves him right!

APK

P.S.=> You ought to tell Thor SCHMUCK to tell his Sis to keep her legs together too... she's NOT good at that from what I see (& only THOR calls me "Pete" so, it doesn't take a brain to see you're he)... apk

Re:Are you on topic, troll? Ty Tymkovich says HI (0)

Anonymous Coward | more than 3 years ago | (#35292802)

Gone off your meds again, Pete? Your 76 yr old mom/roommate can't see to get the colors right? You can always tell when Alexander Peter Kolwalski has gone off his Depakote and Lithium.

The Ty Tymkovich part "get to you"? LMAO! (0)

Anonymous Coward | more than 3 years ago | (#35292864)

See subject-line, lol, and tell your sister to keep her legs together Thor (there'd be 1 less fatherless bastard out there, you know? It's not the kid's fault either... that's the SAD part, because I think kids are 1 of the FEW redeeming features of humanity, especially little kids. However, IRRESPONSIBLE ADULTS? Not so!).

Ty, listen: Next time you wonder how Ty Tymkovich got a piece of you, for $5,000? DON'T THINK *TOO* LONG... lol!

I don't know WHERE this "roommate" thing came from, or my Mom, but I own my own home, & have rental properties too... but, to each his own!

Lastly, I'll tell you 1 thing: You seem to know which meds to take... is this the "voice of experience" on YOUR end, taking them, yourself? Sounds it... try get on topic, you might sound more credible.

APK

P.S.=> As far as the rest of your attempting to troll me? Please - keep your "sidewalk surgeon/quack" diagnosis-prognosis to yourself... ok? Until you get your PHD in Psychiatry, and a license to practice it, and you have done a formal examination of myself in a professional environs??? Please... your own "delusions of grandeur" have gotten the BEST of you (like Ty Tymkovich did, lol)... because you're NO psychiatrist! apk

Re:The Ty Tymkovich part "get to you"? LMAO! (0)

Anonymous Coward | more than 3 years ago | (#35292950)

Nope, not Thor. Judging by how he didn't respond to your idiotic statements at the end of his column I would guess that he's far too busy to deal with someone who's clearly taking trolling to a professional level. Maybe if you'd work as hard at your software as you do at being a douche bag then your (cr)apps wouldn't have ended up on the malware lists.

Ad homimem attacks & off topic trolling? Pleas (0)

Anonymous Coward | more than 3 years ago | (#35293082)

"Judging by how he didn't respond to your idiotic statements at the end of his column I would guess that he's far too busy to deal with someone who's clearly taking trolling to a professional level." - by Anonymous Coward on Wednesday February 23, @02:43PM (#35292950)

Like yourself off topic here the whole time?

Thor COULDN'T respond... when I used the example of Spybot "Search & Destroy" altering a HOSTS file (albeit for the GOOD of others), & yet, he doesn't list it as a malware? It showed how much Thor SCHMUCK knew (zero).

I asked him also why PING is not listed... it can issue a PING OF DEATH (or could on various distros/OS over time)... funny he shut up there too, eh??

THOR SCHMUCK IS A 1/2 WIT WITH NO DEGREE IN COMPUTER SCIENCE TRYING TO PLAY "EXPERT" ONLINE, PERIOD... & IT BACKFIRED IN HIS FACE WHEN HE TRIED ME IS ALL!

(Ty Tymkovich took him for $5,000 too, lol, hiliarious!)

---

"Maybe if you'd work as hard at your software as you do at being a douche bag then your (cr)apps wouldn't have ended up on the malware lists" - by Anonymous Coward on Wednesday February 23, @02:43PM (#35292950)

My software's & work in it have done well for me... here is a partial list (in addition to the apps I showed from techpowerup here in this very exchange too):

---

Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61

(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it

HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!

Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...

Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3 [xtremepccentral.com]

Lastly, lately (this year)?

It's also been myself helping out the folks at the UltraDefrag64 project (a 64-bit defragger for Windows), in showing them code for how to do Process Priority Control @ the GUI usermode/ring 3/rpl 3 level in their program (good one too), & being credited for it by their lead dev & his team... see here ->

http://ultradefrag.sourceforge.net/handbook/Credits.html [sourceforge.net]

---

Plus, your calling me "douchebag"? Please... lol! You're not only an off topic troll, but also an ad hominem attack using one too! Poor showing...

APK

P.S.=>

"Nope, not Thor." - by Anonymous Coward on Wednesday February 23, @02:43PM (#35292950)

Yea, "right" (sarcasm)... b.s.! He's the ONLY person online that calls me "Pete"... & that was his undoing: His doing so showed HE was the one that reported an app of mine, falsely, as a malware!

Thor, please - you're NOT fooling anyone! As far as malware lists though?

CA & others have done this to myself, & also to the likes of NIR SOFER of Nirsoft (ask him yourself) & even DR. MARK RUSSINOVICH of Microsoft too... it happens! It actually appears I am in "GOOD COMPANY" here, lol... & CA? They had to list my single ware of 40 or more I wrote since 1995 online, as a ZERO THREAT LEVEL ware too... & my attorney I talked to, John Lowe of Hiscock & Barclay says I have a winning case for defamation of character & libel, for $150,000 vs. CA (but he knows they would drag it out past that, so it's not worth it)... this is the REAL world! apk

Re:Ad homimem attacks & off topic trolling? Pl (0)

Anonymous Coward | more than 3 years ago | (#35293236)

This is fun. I legitimately have time on my hands to waste, clearly someone of your importance and intellect has much better things to do than to entertain the likes of me. I'm a complete NOBODY and have ruffled your feathers, haven't I? I find it especially laughable that you compare yourself to the likes of Sofer and Russinovich. I've used your reg clean tool and it's not even close to the capabilities/functionalities/variabilities of Juoni Vuorio's jv16 Power tools.

You MAY have been cool in 1997 but those days are over, momma's boy. Better check the batteries in your pillminder...you've missed a dose.

Re:The Ty Tymkovich part "get to you"? LMAO! (0)

Anonymous Coward | more than 3 years ago | (#35293078)

BTW, I am an Internet PSEUDODOCTOLOGIST with my PHD from the Arsclan University and I'm fully qualified to diagnose you as BAT SHIT crazy. Though I have a feeling I'm not the only one who has told you that, am I? ( =

Ad hominem off topic the "best you got"? Grow up (0)

Anonymous Coward | more than 3 years ago | (#35293200)

"BTW, I am an Internet PSEUDODOCTOLOGIST with my PHD from the Arsclan University and I'm fully qualified to diagnose you as BAT SHIT crazy. Though I have a feeling I'm not the only one who has told you that, am I? ( = - by Anonymous Coward on Wednesday February 23, @03:01PM (#35293078)

Please: Grow up.

APK

P.S.=> When you calm down, I wish you'd look at the stupidity in your post, off topic & ad hominem attack nature of it especially... it makes you look silly + immature, & only makes my points stronger for it.

After all - when you're "forced" to go "off topic" & to ad hominem attack a poster? You've lost... badly! That's attacking "the man", not his technical points... that's a logical fallacy on YOUR part! apk

HOSTS files & /.? Trust me: It's WELL known! (-1)

Anonymous Coward | more than 3 years ago | (#35290820)

"This is not well known, but every computer connected to the Internet is capable of being its own nameserver. Through an obscure file called hosts.txt, it is possible to store a list of domain names. Next to these names, the IP (Internet Protocol) address of the computers they represent can be added. In this fashion, all network name lookups can be self contained, or performed from the computer itself. Professional consultants understand that an alternative to nameservers is thus possible by creating a list of machines a company may reach, then circulating that list to the company computers using P2P (peer-to-peer) filesharing. Not only does this avoid the vulnerability present in relying on yet another redundant server for basic network operations, but it also permits the company to defacto limit the webservers that employees may visit." - by Anonymous Coward on Wednesday February 23, @10:38AM (#35290502)

See these here:

---

http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]

http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]

http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1891254&cid=34403798 [slashdot.org]

http://it.slashdot.org/comments.pl?sid=1916240&cid=34606776 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532574 [slashdot.org]

---

As just some " examples thereof"...

(&, for SOME reason? They seem to HATE me for posting about HOSTS files, for whatever reasons, whenever I posted about it (extolling its virtues on MANY grounds (better speed, security, & even anonymity to a degree, online)).

Yes, I get "mod ups" for it, but not usually.

APK

P.S.=> It's a way, but I only consider it a valuable aid for more speed (via hardcodes as you alluded to of the IP Address-to-Host/Domain name equation), more security/anonymity (using hardcoded to avoid DNS request logs), & also more security vs. KNOWN bad sites/servers etc. (by blocking them off, in essence, using the hosts as a "blacklist")... it's a valuable AID to speed, anonymity, & security online, but... it's not the "total end all/be all answer" either... but it beats browser addons, because they only usually protect certain browsers, or email programs (where the HOSTS file works for them all, for the purposes I noted above now, "universally" across-the-board, & on ANY Operating System that uses a BSD based IP Stack)... apk

Re:Many companies avoid using networked nameserver (1)

jijacob (943393) | more than 3 years ago | (#35290824)

Hosts.txt isn't a well-known thing? I would categorize it as more of a known-but-inefficient thing, since you can typically do redirection and other stuff hosts.txt does at the firewall level, negating the need for some complex P2P setup.

It's NOT "hosts.txt", it's just HOSTS, and... (-1)

Anonymous Coward | more than 3 years ago | (#35290978)

"Hosts.txt isn't a well-known thing?" - by jijacob (943393) on Wednesday February 23, @11:09AM (#35290824) Homepage

Not just to you, but also to the parent poster (I didn't note that earlier, but now, I am).

APK

P.S.=>

"I would categorize it as more of a known-but-inefficient thing, since you can typically do redirection and other stuff hosts.txt does at the firewall level, negating the need for some complex P2P setup." - by jijacob (943393) on Wednesday February 23, @11:09AM (#35290824) Homepage

Uhm, using a HOSTS file isn't a "P2P" setup, strictly speaking...

Also, when you hardcode in your favs as I do, sites-wise, you get to them faster than looking them up in a remote DNS for 1 thing, & you don't have the chance of misdirection as badly as this article notes, & yes, it is faster than calling out to a remote DNS...

Additionally, by blocking adbanners (which also have been shown to harbor malicious script too many times over the years now)? You DOUBLE your online speed, easily - "HBO Internet" too...

Also - by blocking out known bad sites, by domain/host name, works for protecting yourself, vs. them since most malware makers do that by hostname/domainname, since they bought it!

(I also use IP addresses, the lesser used method, as you do though for blocking out known bad sites, that are listed in say, malware, by IP address rather than URL/host-domain name, etc. in firewalls (software or router hardware) because HOSTS don't work on IP Addy's)... apk

HOSTS files are WELL known on /. (I made sure!) (-1)

Anonymous Coward | more than 3 years ago | (#35290852)

"This is not well known, but every computer connected to the Internet is capable of being its own nameserver. Through an obscure file called hosts.txt, it is possible to store a list of domain names. Next to these names, the IP (Internet Protocol) address of the computers they represent can be added. In this fashion, all network name lookups can be self contained, or performed from the computer itself. Professional consultants understand that an alternative to nameservers is thus possible by creating a list of machines a company may reach, then circulating that list to the company computers using P2P (peer-to-peer) filesharing. Not only does this avoid the vulnerability present in relying on yet another redundant server for basic network operations, but it also permits the company to defacto limit the webservers that employees may visit." - by Anonymous Coward on Wednesday February 23, @10:38AM (#35290502)

See these here:

---

http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]

http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]

http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1891254&cid=34403798 [slashdot.org]

http://it.slashdot.org/comments.pl?sid=1916240&cid=34606776 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]

http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532574 [slashdot.org]

---

As just some " examples thereof"...

(&, for SOME reason? They seem to HATE me for posting about HOSTS files, for whatever reasons, whenever I posted about it (extolling its virtues on MANY grounds (better speed, security, & even anonymity to a degree, online)).

Yes, I get "mod ups" for it, but not usually.

APK

P.S.=> It's a way, but I only consider it a valuable aid for more speed (via hardcodes as you alluded to of the IP Address-to-Host/Domain name equation), more security/anonymity (using hardcoded to avoid DNS request logs), & also more security vs. KNOWN bad sites/servers etc. (by blocking them off, in essence, using the hosts as a "blacklist")... it's a valuable AID to speed, anonymity, & security online, but... it's not the "total end all/be all answer" either... it's a VALUABLE tool for "layered security" though!

Additionally, it beats browser addons, because they only usually protect certain browsers, or email programs (where the HOSTS file works for them all, for the purposes I noted above now, "universally" across-the-board, & on ANY Operating System that uses a BSD based IP Stack)... apk

Re:Many companies avoid using networked nameserver (3, Insightful)

Albanach (527650) | more than 3 years ago | (#35290864)

Seriously? What companies avoid nameservers?

Why would you believe your P2P software is less prone to vulnerabilities than BIND?

but it also permits the company to defacto limit the webservers that employees may visit.

Perhaps, If your company employs people who cannot type in an IP address. Nonetheless, I can think of many much better ways to limit employee internet access.

All software has vulnerabilities. If your nameserver has an issue, you upgrade BIND and you're done. If your P2P software on every desktop has a vulnerability, you now have to update software on every desktop. Assuming, that is, that the vulnerability is ever publicly disclosed.

Not same AC here, but here goes... apk (0)

Anonymous Coward | more than 3 years ago | (#35292544)

"Seriously? What companies avoid nameservers?" - by Albanach (527650) on Wednesday February 23, @11:14AM (#35290864) Homepage

Uhm, there ARE "rogue DNS servers" out there, & ones that malware makers themselves actually use... & what's a way to block them out? Hosts is 1 possible.

---

FAST FLUX DNS MALWARE TECHNIQUE IN A NUTSHELL:

http://en.wikipedia.org/wiki/Fast_flux [wikipedia.org]

---

Iirc, "fast-fluxing" is one method that involves DNS & rogue servers, & malware makers use it... So, that said?

YOU MAY WISH TO "LOOK INTO IT", yourself...

---

"Perhaps, If your company employs people who cannot type in an IP address." - by Albanach (527650) on Wednesday February 23, @11:14AM (#35290864) Homepage

LMAO, hey man - there IS "plenty of THAT, 'going around'" too, & YOU KNOW IT! Lol... some folks just do NOT "get into being geeks" is all.

---

"Nonetheless, I can think of many much better ways to limit employee internet access." - by Albanach (527650) on Wednesday February 23, @11:14AM (#35290864) Homepage

Hosts work for it, nonetheless, & especially in cases where the DNS records are false/erroneous/hijacked... as they are in this case, & many others the past decade or so now.

APK

P.S.=> Hosts files are an EXCELLENT security AND SPEED supplement to DNS servers, but they're not really a GOOD SOLID FULL replacement...

HOWEVER: Using HOSTS files to:

1.) Block out KNOWN BAD SITES/SERVERS/HOSTS-DOMAINS, is good for security

2.) Blocking adbanners is also good for security (since they've been hijacked quite a lot the past few years) AND SPEED too (e.g./i.e. - I make a DSL connection behave like FIOS almost, on the web @ least this way)

3.) HOSTS aid anonymity (avoiding DNS request logs, which you'd *think* DNS server admins might like, since it "lessens the load" on DNS servers!)... apk

Trust me, lol, they KNOW about HOSTS here (-1)

Anonymous Coward | more than 3 years ago | (#35290896)

"This is not well known, but every computer connected to the Internet is capable of being its own nameserver. Through an obscure file called hosts.txt, it is possible to store a list of domain names. Next to these names, the IP (Internet Protocol) address of the computers they represent can be added. In this fashion, all network name lookups can be self contained, or performed from the computer itself. Professional consultants understand that an alternative to nameservers is thus possible by creating a list of machines a company may reach, then circulating that list to the company computers using P2P (peer-to-peer) filesharing. Not only does this avoid the vulnerability present in relying on yet another redundant server for basic network operations, but it also permits the company to defacto limit the webservers that employees may visit." - by Anonymous Coward on Wednesday February 23, @10:38AM (#35290502)

See these here:

---

http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608

http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952

http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182

http://tech.slashdot.org/comments.pl?sid=1891254&cid=34403798

http://it.slashdot.org/comments.pl?sid=1916240&cid=34606776

http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128

http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532574

---

As just some " examples thereof"...

(&, for SOME reason? They seem to HATE me for posting about HOSTS files, for whatever reasons, whenever I posted about it (extolling its virtues on MANY grounds (better speed, security, & even anonymity to a degree, online)).

Yes, I get "mod ups" for it, but not usually.

APK

P.S.=> It's a way, but I only consider it a valuable aid for more speed (via hardcodes as you alluded to of the IP Address-to-Host/Domain name equation), more security/anonymity (using hardcoded to avoid DNS request logs), & also more security vs. KNOWN bad sites/servers etc. (by blocking them off, in essence, using the hosts as a "blacklist")... it's a valuable AID to speed, anonymity, & security online, especially layered security, but... it's not the "total end all/be all answer" either... but it beats browser addons, because they only usually protect certain browsers, or email programs (where the HOSTS file works for them all, for the purposes I noted above now, "universally" across-the-board, & on ANY Operating System that uses a BSD based IP Stack)... apk

Re:Many companies avoid using networked nameserver (1)

isopropanol (1936936) | more than 3 years ago | (#35290958)

Also severely limits who you can send email to. And is excessively cumbersome. Easier to just run your own BIND and not allow connections from outside.

HOSTS don't "limit email" (they help it in fact) (-1)

Anonymous Coward | more than 3 years ago | (#35291098)

"Also severely limits who you can send email to. And is excessively cumbersome. Easier to just run your own BIND and not allow connections from outside." - by isopropanol (1936936) on Wednesday February 23, @11:26AM (#35290958)

Explain that please... because it seems as if you're trying to say a HOSTS file limits email!

If anything? They HELP you! See below on that note for more detail... & hosts DO work with DNS servers (in combination).

APK

P.S.=> If ANYTHING? A good custom HOSTS file that block out KNOWN bad sites/servers/hosts/domain names HELPS you out in email, HTML email with scripting especially turned on which it generally is by default unfortunately, by keeping you from being exploited (whereas browser addons don't for external to browser email tools, like Outlook/Outlook Express for example, among others like them that are NOT part of the browser or online email)... apk

It's NOT "hosts.txt", it's just HOSTS... apk (-1)

Anonymous Coward | more than 3 years ago | (#35291032)

"Through an obscure file called hosts.txt" - by Anonymous Coward on Wednesday February 23, @10:38AM (#35290502)

It's NOT "hosts.txt", it's just HOSTS (no extension)...

APK

Re:Many companies avoid using networked nameserver (1)

Bacon Bits (926911) | more than 3 years ago | (#35291112)

Hosts is old. It predates DNS, and is one of the reasons for DNS. DNS (and WINS, technically) were developed because maintenance of the hosts file across a network of computers is too complex. Updates would be slow, insecure, inconsistent and unreliable, particularly if you use DHCP on your network instead of static addressing (which everybody with a brain does on a non-trivial network). Cache poisoning would be a constant problem. Nevermind that all the hosts file does is translate names to IP addresses, while DNS does much more than that.

So, yes, if you're willing to sacrifice ease of administration, security, functionality, performance, and reliability, you can absolutely revert to distributed hosts files over DNS.

Maintenance on networks = easy (logon script) & (-1)

Anonymous Coward | more than 3 years ago | (#35291234)

"maintenance of the hosts file across a network of computers is too complex." - by Bacon Bits (926911) on Wednesday February 23, @11:44AM (#35291112)

Do you know what a LOGON SCRIPT is? It can be used to update the HOSTS file, and when it matters: WHEN A USER LOGS ONTO HIS SYSTEM TO USE IT!

I.E.-> Using logon scripts to update a client network node's HOSTS file is trivial, and it keeps the client/network node logged onto up to date everytime they logon to use their system, which is, after all, WHEN IT MATTERS!

HOSTS are also a good supplement to DNS!

Especially in cases like this one, where DNS redirection/misdirection poisonings occur.

Especially if one "hardcodes" their favorites into a HOSTS file (w/ the correct IP address - to - host/domain name), & it's faster than calling out to a remote DNS server too (and in cases like this one, safer, since the HOSTS file is default looked at first, prior to DNS).

APK

P.S.=> Seems to me, lastly, the DNS has the "cache poisoning problem" (not a first either), per this statement from you:

"Cache poisoning would be a constant problem." - by Bacon Bits (926911) on Wednesday February 23, @11:44AM (#35291112)

Funny - but, isn't DNS the one with the caching & redirect poisoning problem here? Per this very article & others LIKE IT, over time??

---

"So, yes, if you're willing to sacrifice ease of administration, security, functionality, performance, and reliability, you can absolutely revert to distributed hosts files over DNS.." - by Bacon Bits (926911) on Wednesday February 23, @11:44AM (#35291112)

B.S., b.s., b.s. & b.s and b.s.... you can actually go FASTER using a HOSTS file, & resolve IP addy - to - HOSTS/domain names faster using them, vs. a remote DNS server... & again - distributing them? Easy as a logon script... apk

Re:Maintenance on networks = easy (logon script) & (0)

Anonymous Coward | more than 3 years ago | (#35291516)

yeah.. until your hosts file is a couple hundred kB. flat text files don't scale well.

I use a HOSTS file that's 25mb in size, it scales! (-1)

Anonymous Coward | more than 3 years ago | (#35291616)

"yeah.. until your hosts file is a couple hundred kB. flat text files don't scale well." - by Anonymous Coward on Wednesday February 23, @12:26PM (#35291516)

First of all: DEFINE "scale" here...

Secondly: I don't understand HOW you can say that... & es-especially using the word "scale"!

See, I state that, because I am currently using a HOSTS file that is 25mb in size, & one that blocks out 936,000 KNOWN bad sites/servers/host-domain names & from REPUTABLE Sources... would you like those?

You might find them useful. They are for me, keeping my HOSTS file updated to the MINUTE no less!

APK

P.S.=> Now, IF you're having a problem with relatively LARGISH hosts files?

On Windows, you have to stall the local DNS client cache (which sucks anyhow, because it's written on a fixed size buffer, rather than a queue, apparently... because it 'breaks down' & lags you with larger hosts files)... it doesn't "scale" well itself, no questions asked, because of that being FIXED size (its a C/C++ structure in DNS server sourcecodes is why).

I do that here, stall the local DNS client cache in Windows 2000-XP-Server 2003 - Windows 7 in fact, & have since, oh, around 1997 in fact... & I go 2x as fast online than by NOT using a HOSTS file! apk

Re:Many companies avoid using networked nameserver (1)

i.r.id10t (595143) | more than 3 years ago | (#35291370)

Most of what I see hosts files used for now is to "null route" (direct to 0.0.0.0) known bad hosts.

I do the same on my computers, but instead of "known bad" hosts I block various ad servers

Re:Many companies avoid using networked nameserver (1)

Bacon Bits (926911) | more than 3 years ago | (#35291674)

Yeah, a lot of anti-malware software does this. Spybot Search & Destroy adds about 15,000 entires to hosts that point to 127.0.0.1, which might fail safer than a null route. It amounts to the same thing.

Re:Many companies avoid using networked nameserver (2)

geogob (569250) | more than 3 years ago | (#35291486)

Now I really wonder... are you someone totally incompetent trying to post as a windows admin or just an elaborate troll
Because I really don't see the point to try to push the usage of host files in this community (or any community, for that matter - especially as an alternative to DNS).

He made some minor mistakes, I corrected him so... (0)

Anonymous Coward | more than 3 years ago | (#35291756)

"Now I really wonder... are you someone totally incompetent trying to post as a windows admin or just an elaborate troll" - by geogob (569250) on Wednesday February 23, @12:22PM (#35291486)

Take it easy man, no need to insult him. He's trying & he really isn't THAT "far off base" on what he noted!

HOWEVER:

You don't need P2P to distribute HOSTS files as he stated (logon scripts work nicely here)

&

It's not "hosts.txt" as he noted, but hosts (no extension).

---

"I really don't see the point to try to push the usage of host files in this community (or any community, for that matter - especially as an alternative to DNS)." - by geogob (569250) on Wednesday February 23, @12:22PM (#35291486)

I beg to differ, especially In cases where DNS has bugs or is misdirect/redirect "poisoned"? HOSTS ARE AN EXCELLENT SUPPLEMENT! Especially for SECURITY vs. redirect/misdirect poisonings of DNS records!!!!

HOSTS can also get you more speed than using external remote DNS servers, & by blocking out adbanners too! You can DOUBLE YOUR SPEED online this way, try it yourself & see!

AND??

HOSTS can get you more security & anonymity to a degree even (vs. DNS request logs even), & security vs. KNOWN bad sites/servers/host-domain names as well, by "blacklist blocking" them out.

APK

P.S.=> If you are not aware of those things? Then, perhaps, you shouldn't have ridiculed the ac that posted this here... he was "off" on a few things I noted above, but, not entirely in principal... apk

Re:Many companies avoid using networked nameserver (1)

IT.luddite (1633703) | more than 3 years ago | (#35291784)

return to ARPAnet? Are you MAD?!?! replace the hierarchical DNS structure w/ P2P filesharing to avoid a vulnerability? Are you INSANE?!?! Sure, professional consultants may understand that alternatives exist for several key infrastructure services (oooh let's get rid of RIP/EIGRP/BGP/etc w/ static routes. It's more secure and that means its more reliable!). Hopefully they understand the issues w/ NOT utilizing it and the ramifications to operational costs to maintain it as well as the implications to reliability. End of the day... you're CRAZY!

Crazy 2 fix a DNS error, & go faster, w/ HOSTS (0)

Anonymous Coward | more than 3 years ago | (#35291872)

"replace the hierarchical DNS structure w/ P2P filesharing to avoid a vulnerability?... End of the day... you're CRAZY! - by IT.luddite (1633703) on Wednesday February 23, @12:52PM (#35291784)

To update a HOSTS file, all you need is a LOGON script... for starters, & a P2P method is rather "overkill" (I agree here).

However: TO OFFSET & IMMUNIZE ONE'S SELF vs. DNS POISONING of DNS records? Hosts work...

I personally don't think one should REPLACE DNS with HOSTS, but rather supplement DNS (vs. redirect/misdirects like this one i.e. DNS poisonings, & to GO FASTER TOO!)

I use HOSTS to block out known malicious sites (936,000++ here & counting, updated by the MINUTE no less here from many reputable & reliable sources) and adbanners too.

Doing the last paragraph? I make a DSL connection seem like FIOS, because I am not calling out to remote DNS servers (roundtrip there is, minimum, 30-60ms & that's longer than local file access of a HOSTS file, especially once its cached into memory).

In this case though? HOSTS make sense, as they can proof you vs. such things or even sites going down (when SECUNIA.COM was hit this way? I was reaching it when MOST of the internet, couldn't... how/why?? HOSTS hardcode of secunia's IPAddress-to-Hosts/Domain Name for them!)

APK

Re:Many companies avoid using networked nameserver (0)

Anonymous Coward | more than 3 years ago | (#35292968)

Ugh, it's the Hosts File troll again.

LOL, nope (U guys call me that here)... apk (0)

Anonymous Coward | more than 3 years ago | (#35293154)

"Ugh, it's the Hosts File troll again." - by Anonymous Coward on Wednesday February 23, @02:45PM (#35292968)

LOL, you guys like to "troll me" ad hominem attack style & call me that, but...

The OP/parent poster on HOSTS files? It's not me... too many technical mistakes (e.g. hosts.txt, no filetype extension's on HOSTS), for one thing... & his using P2P, though not IMPOSSIBLE, is not the way to update a HOSTS file... . Logon scripts or tools like HOSTSMAN are better imo!

I offered/noted other ways, from reputable & reliable sources, all thru this thread.

APK

P.S.=> NOW, lastly, in closing:

The funniest part of all this is that whatever I posted in favor of HOSTS file here, that overturned the "naysayers" here, & made them have to resort to "off topic" trolling &/or adhominem attacks directed MY way... rather than disputing & disproving my points (as I did to theirs, for THEIR OWN GOOD, and the GOOD OF OTHERS (misinforming others is NOT cool is why)) seems to have done its job - how can I say that? Easy: The fact you're AD HOMINEM ATTACKING ME, or trying to (wrong guy though) shows us all that much... apk

Kill It (1)

jimmerz28 (1928616) | more than 3 years ago | (#35290504)

The government doesn't need an "internet kill switch" when they can just exploit things like this.

I'm giving them way too much credit...

inb4 (0)

Anonymous Coward | more than 3 years ago | (#35290546)

inb4 well-known /fag DNS-and-BIND

FreeBSD? (1)

CAIMLAS (41445) | more than 3 years ago | (#35290582)

I wonder how long it'll be until FreeBSD rolls a security update out for this.

Re:FreeBSD? (1)

Anonymous Coward | more than 3 years ago | (#35291386)

It's OK, most FreeBSD users are not vulnerable, the current production release (8.1) uses bind 9.6.2, which is from before the vulnerability was introduced in the 9.7 series.

Only users who have independently installed the 9.7 package will have an issue.

Earlier versions? (2)

psyclone (187154) | more than 3 years ago | (#35290588)

What about versions before 9.7.1? Looks like this vulnerability affects only Bind servers within the specific range: 9.7.1-9.7.2-P3

Let Me Ask a Question (1)

techsoldaten (309296) | more than 3 years ago | (#35290604)

Let me ask a question, when alerts come out like this that explain a vulnerability, do they always state the problem the way it happens?

Like, if someone understood how to exploit this vulnerability, are they really going to shut down DNS services or could it be that there is a worse vulnerability underneath? For instance, could this actually be a call to patch something that allows for DNS spoof, where someone does not want the issue to have wide awareness?

Re:Let Me Ask a Question (2)

vlm (69642) | more than 3 years ago | (#35291210)

Let me ask a question, when alerts come out like this that explain a vulnerability, do they always state the problem the way it happens?

Thankfully, yes, err, well, as far as they know at that time. I don't do IXFR on my authoritative or resolving bind servers so I simply don't care. Kind of hard to cause a deadlock during a tiny slice of a time in a process I don't run...

Like, if someone understood how to exploit this vulnerability, are they really going to shut down DNS services or could it be that there is a worse vulnerability underneath? For instance, could this actually be a call to patch something that allows for DNS spoof, where someone does not want the issue to have wide awareness?

Uh, no. At least not directly. According to

http://www.isc.org/software/bind/advisories/cve-2011-0414 [isc.org]

the server simply stops responding. Usually deadlocks in any software freeze it up quite well rather than false data. Old data, maybe, at worst...

What happens to the rest of your security infrastructure when it stops getting DNS responses? Probably nothing, but someone whom tried really hard could make something like a syslog that wouldn't log if it cant log reverse DNS, so I guess you could brute force something while no one is watching, that is vulnerable to brute forcing (no rate limiting, weak enough to be brute forced, etc). Once they have access maybe they could set up some sort of spoofy thing.

not "high severity" (4, Informative)

Lord Ender (156273) | more than 3 years ago | (#35290818)

This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.

This is just one more in a long list of well-known ways anyone could knock a server offline.

Re:not "high severity" (4, Insightful)

Leebert (1694) | more than 3 years ago | (#35291076)

This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.

It depends entirely upon the requirements for availability. I agree that generally the A in the CIA triad is the least important, but not by any means always.

Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast. Wouldn't you agree that it's probably a greater impact than, say, a single unimportant desktop somewhere in marketing being compromised by the Flash Of The Day vulnerability?

Thus is the black magic of IT risk management. :)

That said, my first thought when reading this headline was the same as yours.

Re:not "high severity" (1)

vlm (69642) | more than 3 years ago | (#35291258)

Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast.

Why would your resolvers every do an IXFR? That takes quite an imagination. Now your secondary authoritative servers might be knocked out if they allow IXFRs in addition to the "traditional" AXFR zone transfers.

Re:not "high severity" (1)

Leebert (1694) | more than 3 years ago | (#35291584)

"Imagine if". I was using a hypothetical to demonstrate a completely different point.

Re:not "high severity" (1)

Lord Ender (156273) | more than 3 years ago | (#35291720)

"High" and "Low" are relative. A high severity DNS flaw would be one that allows attackers to redirect all banking websites to a site they control, as an example. A low severity DNS flaw would be one that makes things not work for a little bit. Any botnet operator could take a DNS server offline anyway, with or without a flow. Low severity.

Re:not "high severity" (1)

Leebert (1694) | more than 3 years ago | (#35292010)

"High" and "Low" are relative. A high severity DNS flaw would be...

With due respect to your tenure at Slashdot, I believe you're oversimplifying it, or at least not applying common risk management methodology.

Generally, when assessing the impact of a vulnerability, you're going to assess its impact to each of the three components of the security triad.

We admin/security types do generally consider impact to availability as being less of an issue, but my point is that it is situation dependent. The fact is, though, that this particular vulnerability (I believe, I haven't RTFA) is in fact a high impact to availability. It's probably low to confidentiality and integrity, but the *overall* impact taken as a high water mark of impact to each of the CIA, is high. If your own specific environment does not consider availability to be of importance, than your own risk assessment will take that into account and reduce the overall risk as appropriate.

I guess the reason I felt compelled to reply to the original post is because I think that in sysadmin world, there is less methodology and more gut reaction. That makes sense, but I'm trying to help raise awareness that there *are* methodologies which, for better or worse, at least help make sure everyone is using the same terminology.

Hopefully this clarifies my point.

Re:not "high severity" (0)

Lord Ender (156273) | more than 3 years ago | (#35293264)

With due respect to your tenure at Slashdot

[Facepalm] Clearly, you're just a troll with a silly statement like that. Of course, this should be obvious to anyone reading by now, but your responses are really just pedantic, pointless puffery. Broadly speaking, DoS flaws are low severity. And since this is a broad forum, "broadly speaking" is all we can reasonably hope for. We in the security world know that individual circumstances vary. That is so obvious that it goes without saying. So don't expect to get a gold star for pointing out the obvious.

Re:not "high severity" (2)

kangsterizer (1698322) | more than 3 years ago | (#35291310)

http://www.kb.cert.org/vuls/id/559980 [cert.org]
Severity metric: 4.50 (on a scale from 0 to 180)

Sounds like not very high to me either, lol.

That said, it's a kinda serious vulnerability given that the Internet relies a lot on DNS and many servers are running BIND.

Then again, we should be running at least DNSSEC by now, and not provided by BIND, right? right?!

not high severity (2)

Lord Ender (156273) | more than 3 years ago | (#35290858)

High severity threats are those that either disclose sensitive information or allow unauthorized control of a service or system. Denial of service vulnerabilities are almost universally considered low severity. This is just one more in a long list of known ways to DoS a system.

Re:not high severity (1)

assantisz (881107) | more than 3 years ago | (#35291148)

I don't know why the article does not link to the original advisory [isc.org] but the ISC qualified this vulnerability with a severity level high.

Re:not high severity (1)

Bacon Bits (926911) | more than 3 years ago | (#35291282)

That's true, but the CERT advisory only lists the severity metric as 4.5. That's not out of 10. It's out of 180.
http://www.kb.cert.org/vuls/id/559980 [cert.org]

ISC very well may use a different ranking scheme for vulnerabilities. DNS is required to have high availability, and this would severely impact that. ISC may rate it highly simply because the common usage scenarios for BIND make this more concerning.

Re:not high severity (1)

wiredmikey (1824622) | more than 3 years ago | (#35291648)

Assantisz, the article does link to the ISC advisory. Are you are correct, they do list it as high severity.

Re:not high severity (1)

phantomcircuit (938963) | more than 3 years ago | (#35291474)

http://tech.slashdot.org/comments.pl?sid=2008894&cid=35290818

DONT DO DAT

Re:not high severity (1)

Lord Ender (156273) | more than 3 years ago | (#35291836)

Yes, I posted twice. But only because slashdot had an outage during which comments were not showing up. Apparently slashdot was queuing up posts but not displaying them until later for a while earlier today. Don't blame me for slashdot's bug.

spamming my startup (0)

Anonymous Coward | more than 3 years ago | (#35290906)

Just an FYI - we use PowerDNS instead of Bind: www.dnshat.com

Re:spamming my startup (1)

Tanktalus (794810) | more than 3 years ago | (#35291318)

Riiight... so you're saying we're better off using younger software than more mature software because, let me see if I got this right, your theory is that the new software has fewer bugs than the mature software?

Now, if you find PowerDNS has more features, easier to set up, what have you, that's fine - that's the purpose of new software attempting to displace old and not the topic here. It's not often that new software has fewer bugs (including security holes) than more mature software.

Neverbind the summary (1)

Anonymous Coward | more than 3 years ago | (#35290940)

This was bound to happen...

Appropriate (0)

Anonymous Coward | more than 3 years ago | (#35291058)

My footer quote reads:

> You will not censor me through bug terrorism. -- James Troup

djbdns (1)

roman_mir (125474) | more than 3 years ago | (#35291062)

djbdns [cr.yp.to] - if you want a secure one.

Re:djbdns (0)

Anonymous Coward | more than 3 years ago | (#35291940)

Hilarious. Really. I lol'd.

Re:djbdns (1)

roman_mir (125474) | more than 3 years ago | (#35292122)

If you think it's worth a lol, then do you think you can make a grand in prize money [cr.yp.to] ?

Re:djbdns (1)

Asm-Coder (929671) | more than 3 years ago | (#35292744)

He could be referring to the lack of DNSSEC. I understand DJB's position on DNSSEC, and he is welcome to not implement it, but since DNSSEC is being adopted as the secure dns system, those of us wishing to use it are no longer able to use djbdns.
Security is more than just preventing privileged escalation and taking control of dns systems. There is risk of spoofing and cache poisoning, (which djbdns has a good record with) which DNSSEC aims to correct, DOS (both as described in this article and DDOS) as well as other attacks.

DJB will not pay out for DOS attacks, as per your link. He explains that the dns system is too fragile, (probably true) and that djbdns is less at risk than BIND. (almost certainly true) However, I have to wonder, if this article were about djbdns, would the finder be paid? There is most certainly a problem with the code, and while a DOS is not as serious as say a cache poisoning, it still has the possibility to be a major problem, and this DOS is not predicated on 'drowning' your target with traffic.

Re:djbdns (0)

Anonymous Coward | more than 3 years ago | (#35292336)

35000 computers under a spread network using 4 small boxes P3 yet.. DJBDNS. Just after read this I do remember we have DNS. almost 2 years we didnt touch the side of this machines.

When this happens with BIND it's GOOD for who use some REALLY USEFUL AND SECURE software’s.LIKE DJBDNS. Ten we start to look if a secure release, or a new version come out. Luck US. that nothing new. No need to bug the machines... Let them more 2 years there. Unti next OPEN BUGBIND FLAW. TO remeber US that MAYBE can be necessary Look if something news on DJBDNS.

It''s incredible still peoples using BIND.

Re:djbdns (0)

Anonymous Coward | more than 3 years ago | (#35292642)

That crap not only does not follow the current DNS specifications, it is also incapable of dealing with DNSSEC.

If you don't want BIND, you have unbound and nsd. djbdns is not even a valid choice anymore.

Re:djbdns (2)

Just Some Guy (3352) | more than 3 years ago | (#35292906)

if you want a secure one.

If you want it to be really secure, you'd just turn the server off. If you want secure and functional, isn't even an option.

I'll say it: djbdns is the least secure popular DNS daemon. Its fatal flaw is that it only implements the easiest parts of DNS. Maybe it's exceedingly secure at handling that stuff. Who knows? Who cares? It leaves all the hard part of DNS administration to be re-implemented at every single site. For example, to the best of my knowledge, djbdns still doesn't implement IXFRs. The security vulnerability:

BIND method for dynamic DNS

  1. Configure a TSIG key and install it on the master and slave servers.
  2. Tell the master server to send notifications to the slaves.
  3. Slap your hands together in "job well done" manner and go drink a beer.

djbdns method for dynamic DNS

  1. Roll out some half-assed rsync-based implementation to send updates from the master to the slaves.
  2. Don't forget to use SSH!
  3. Don't forget to use public key authentication!
  4. Don't forget to use empty passphrases, or implement some passphrase-caching mechanism!
  5. Hey, maybe this would be a good time to spend a week learning about Kerberos!
  6. Don't forget to lock down the 'namedaemon' accounts on the slaves so that they can only run rsync and not get full shell privileges!
  7. Don't forget to lock down rsync so that it can't write outside djbdns's non-standard configuration directories!
  8. Figure out a way to make it interact with your outsourced slave DNS systems, all of which are running BIND or something compatible with it.
  9. Figure out whether to used time-based or delta-size-based algorithms to decide how often to trigger your proprietary sync system.
  10. Explain to your boss why you spent two weeks dicking around with something that didn't have to be dicked around with had you picked something less bizarre.

djbdns pretends to be secure by ignoring all the things that make DNS "interesting". That's like writing a computer language with one instruction - say "subtract, branch negative", making that one instruction very robust, then making fun of people who use "insecure languages" (which happens to be everything but yours, as you loudly explain to everyone who will listen). No thanks.

Re:djbdns (1)

roman_mir (125474) | more than 3 years ago | (#35293244)

Hey, you need interesting? You got it. It's this story.

My server is not interesting. It's boring like a fuck.

BIND code used in other software? (1)

djdanlib (732853) | more than 3 years ago | (#35292136)

Does anyone know which DNS servers are either derived from or just repackaged BIND? I haven't been able to find this information anywhere.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...