Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Routing and DNS Security Ignored By ISPs

Unknown Lamer posted about 7 months ago | from the netblock-hijackers dept.

The Internet 101

Bismillah (993337) writes "The re-routing of Google's public DNS servers last weekend was yet another example of how easy it is to 'steal the Internet' by abusing today's trust-based networks. Problem is, ISPs don't seem to care about that, or securing DNS which is another attack vector that doesn't require compromising end users' systems. Why isn't more done to secure routing and DNS then?" The route announcement was likely unintentional. The chief scientist at APNIC noted that implementing RPKI would solve the problem, but far too few ISPs bother with it.

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

Time = Money (0, Informative)

Anonymous Coward | about 7 months ago | (#46525441)

Time to implement, processing to utilize, doesn't matter. If it takes time it already costs too much money.

Re:Time = Money (2)

Anonymous Coward | about 7 months ago | (#46525521)

I have reported compromised sites, massive spamming IP addresses, malware hosting, exploit kits, all kinds of stuff to ISPs, obvious phishing-only domains, hosting providers, and registrars for a while now. Probably close to 1000 reports.

Many companies give a shit.

Many do not. They are here to make money and could care less if the guy renting the storage unit is cooking meth, so long as they make rent. Doesn't matter if the reputation of the storage unit goes down, or poison spills into the streets. As long as the rent is paid, they don't give a shit.

GoDaddy (secureserver) is funny. They sometimes care. Sometimes they ignore it, sometimes they claim they aren't the IP owner, sometimes they wait a month to do anything, and sometimes they jump all over it.

Voxility (Eastern Europe).... forget about it. Basically a botnet VPS.

OVH, increasingly large IP blocks becoming malware, spammer, and pharmascammer IPs. Decreasingly giving a shit.

Rackspace jumps all over it.

Re:Time = Money (0)

Anonymous Coward | about 7 months ago | (#46526015)

I think you mean "couldn't care less".

Re:Time = Money (1)

Krojack (575051) | about 7 months ago | (#46526181)

Most don't give a shit as long as the clients are paying the bills.

The hosting company I work for was like this at one point. The company VP (who has been fired since) make the final call and he said, "If they are current on their bill then ignore it." The only way he would shut a site down is if money was owed or the person complaining had some court order.

On and the VP would also send out SPAM his self while I was sitting here trying to stop SPAM in our mail servers. I hated that guy so much.

Re:Time = Money (2)

gmack (197796) | about 7 months ago | (#46526415)

Groupe Telecom used to be like that since they considered themselves too big to fail (or rather too big to be taken down). I had a decent job until the final months of the job where my boss (Leo Kuvayev before his infamous spammer days) decided to team up with Alan Ralsky and Spam the crap out of some porn sites. Before they started they were assured by their account manager that all complaints would be ignored. After trying to talk them out of it I quit and moved on to another job.

A few months later I ran into my replacement in an elevator while he was searching for new hosting. It seems Group "Were a billion dollar company" Telecom were forced to change their policy thanks to multiple blacklists that did a lot of damage to their business.

Re:Time = Money (0)

Anonymous Coward | about 7 months ago | (#46526921)

Which is why if you have an account with Taiwan's HINET, you cannot access anything on my servers. Not websites, not file downloads and ESPECIALLY not email.

They care so little about the ethics - or at least cleanliness, assuming malware-driven traffic of their customers that I've blocked their entire set of IP banks. I simply got too tired of fending off attempts to hijack my mailservers.

RE:Time=Money (1)

Fyrebaugh (1265302) | about 7 months ago | (#46527997)

It is hard to clean these up, most Spam Blacklists require each individual IP to checked and a form filled out. Then SpamRats require that the IP have a reverse DNS lookup naming convention be met for a mail server, even if it is a standard internet customer, with no email server at the IP. If you have a block of IP's that is a large time sync to request each one individually be de-listed!

Good (0)

Anonymous Coward | about 7 months ago | (#46525465)

DNSSec is the LAST thing we need now that Obama is going to give control of the DNS servers to the international fascist partnership. Those companies will be blocking stuff in the United States, according to their own beliefs and their own governments, and that will be direct violation to free speech rights here in the U.S.

We need to have the ability to ignore ISP's and their DNS restrictions. Lots of people need to put up their own DNS sources, so any removals or blocks via DNS can't be done.

Best thing to do is no longer be dependent on it.

Re:Good (0)

Anonymous Coward | about 7 months ago | (#46525561)

Well, that paranoia about fascism aside; you can't simply stop relying on DNS, it's a basic protocol of the internet, and using something else is virtually impossible.

Namecoin. (0)

Anonymous Coward | about 7 months ago | (#46525661)

The answer is Namecoin.

Re:Namecoin. (1)

lister king of smeg (2481612) | about 7 months ago | (#46526863)

The answer is Namecoin.

I want to use namecoin but it just isn't there yet needs some more work together the rough edges of first and more devs. If they want it to take off what they need to impliment is dns proxy that intersepts the namecoin quries and passes traditional dns through to your dns server of choice.

Re:Good (0)

Anonymous Coward | about 7 months ago | (#46525593)

Oh please, the USA was far worse than your perceived paranoia about you being censored by some authority outside the USA. Did you know: The US Government seize international domains on the premise of copyright infringement, so yeah, pick your poison. I know which one I'd rather pick and its not the USA option.

Re:Good (2)

sosume (680416) | about 7 months ago | (#46526261)

Sure, until the DNS steering comittee becomes headed by the representatives of Iran, North Korea, Pakistan and Jemen.

Re:Good (0)

Anonymous Coward | about 7 months ago | (#46526831)

You think that the US will bow to foreign interests, especially where it harms the US economy, man I want some of what you're smoking.

Re:Good (1)

mjwx (966435) | about 7 months ago | (#46530707)

Sure, until the DNS steering comittee becomes headed by the representatives of Iran, North Korea, Pakistan and Jemen.

that would be a good thing.

Iran, Pakistan and North Korea would never even be able to agree on what to have for lunch. Hell, Iran and Pakistan would be at each others throats (Shiite Persians and Suni Arabs, so they'd block each other just because of that) and North Korea is completely ineffectual. It would be deadlock, leaving DNS implementers to their own devices.

Also, where the fsck is Jemen?

Re:Good (1)

lister king of smeg (2481612) | about 7 months ago | (#46526987)

Oh please, the USA was far worse than your perceived paranoia about you being censored by some authority outside the USA. Did you know: The US Government seize international domains on the premise of copyright infringement, so yeah, pick your poison. I know which one I'd rather pick and its not the USA option.

Have you paid attentionto the situation in the UK? They are blocking pretty much any site the politicians in power veiw as unsavory and they are one of the more freedom respecting liberal nationsn just wait until China gets a say in what gets the the internet wide BanHammer or the Saudis get to ban any one saying something untasteful about Allah or Mohammad.

UN human rights: Cuba, Russia, China, Saudi Arabia (1)

raymorris (2726007) | about 7 months ago | (#46528075)

The UN council on human rights consists of 18 countries including Cuba, Russia, China, and Saudi Arabia. Do you really think an internet council is going to protect free speech? With Iran, China, or North Korea as the chair?

Re:Good (0)

Anonymous Coward | about 7 months ago | (#46530989)

Oh please, the USA was far worse than your perceived paranoia about you being censored by some authority outside the USA. Did you know: The US Government seize international domains on the premise of copyright infringement, so yeah, pick your poison. I know which one I'd rather pick and its not the USA option.

Great, so what you're saying is that if a Muslim country gets a hold of the controls, they WON'T block/seize domains which make fun of their Prophet? That Russia won't block "Gay Domains"? I'd ask you to pass some of that shit you're smoking over here, but I don't want the obviously massive brain damage it's causing you.

AC - so true. (0)

Anonymous Coward | about 7 months ago | (#46527395)

So true. Once the UN gets its hands on the TLDs, it will be abused. ".bit"/namecoin and other distributed TLDs are a solution over the longer term.

Re:Good (0)

Anonymous Coward | about 7 months ago | (#46530963)

We need to have the ability to ignore ISP's and their DNS restrictions.

I have never seen an ISP which blocks or otherwise restricts your ability to use a 3rd party DNS service.
Most do not encourage it, because a) it messes with their web caching services and b) if you're using your ISP's internal DNS then external BGP route poisoning (you know, like what the article is actually talking about?) simply aren't going to affect you.

Re:Good (1)

Lennie (16154) | about 7 months ago | (#46537267)

There is a chance this will change in the (near ?) future.

The US government says they are going to let ICANN 'go global':

http://www.ntia.doc.gov/press-... [doc.gov]

Re:Good (1)

jonwil (467024) | about 7 months ago | (#46538681)

DNSSEC doesn't really change anything re DNS based blocking. To date I have seen 2 different actions re blocking, the first is seizure (e.g. where the US government has asked/ordered/forced the US-based VeriSign .com registrar to point dodgysite.com to a computer that displays domain seizure message). In this case the new domain records would be signed with DNSSEC and everything would validate.

The second is blocks at the ISP level (e.g. UK courts ordering blocking of pirate sites). Since these domains aren't under the jurisdiction of the relatvent courts/countries (otherwise they would likely have ordered the sites/domains seized or taken down), they can force the ISPs to change their local DNS servers but then the DNSSEC signatures wont validate anymore (e.g. if piratebay.se is ordered blocked, the NSEC records for .se wont match anymore and a properly written DNSSEC validator will identify that piratebay.se is supposed to exist but is returning nxdomain and return an error)

#2 also applies if an ISP unilateraly decides to fiddle with DNS and redirect things (returning something other than nxdomain for a domain that doesn't exist, redirecting a domain to a new IP or returning nxdomain for a domain that does exist) since it cant re-sign the records it changed.

The use of DNSSEC doesn't make it any easier for, say, Saudi Arabia to block content it doesn't like at the DNS level (regardless of what the US may do in terms of giving up its regulation of DNS)

Steal the Internet (0)

Anonymous Coward | about 7 months ago | (#46525491)

...yet another example of how easy it is to 'steal the Internet'

Of course it is! See how small it is! [youtube.com]

Do VPNs protect against this? (0)

Anonymous Coward | about 7 months ago | (#46525497)

Because that is a cheap solution for end users to implement and sometimes it's also easy to implement depending on the solution provider.

Re:Do VPNs protect against this? (1)

cheater512 (783349) | about 7 months ago | (#46526463)

No this has little to do with end users. This is a big networks issue.

If your VPN endpoint also saw the hijacked route then you'd equally be stuffed.

Re:Do VPNs protect against this? (0)

Anonymous Coward | about 7 months ago | (#46527009)

Custom hosts files do work (you control your fav sites is why) http://tech.slashdot.org/comme... [slashdot.org]

Re: Do VPNs protect against this? (0)

Anonymous Coward | about 7 months ago | (#46527807)

If your routes were hijacked, your hosts file would prove to be useless. The problem is not with DNS, but with BGP.

I know (long ago, on BGP) (-1)

Anonymous Coward | about 7 months ago | (#46527915)

Agreed, but DNS poisoning (Kaminsky) is eliminated using hosts hardcoded favorite sites (nothing stops BGP "hacking" though, admittedly, as I have admitted before here on /., LONG ago regarding hosts & BGP -> http://tech.slashdot.org/comme... [slashdot.org] as my "proof thereof", per my subject-line... )

APK

P.S.=> Now, I think we're on the "same page"... apk

Re: I know (long ago, on BGP) (0)

Anonymous Coward | about 7 months ago | (#46528055)

The question was about VPN protection against a BGP-related problem that, in this case, affected a fundamental element of the web (DNS); hence the article. The answer is no.

When your routes (read IPs) are hijacked, the traffic for affected addresses is redirected. /etc/hosts is useless as it only lists IPs.

If only your DNS server was hijacked (through whatever means), the results can be falsified and, in this case, /etc/hosts would be useful for IPs in it.

Maintaining the file when your a lone cat is doable, but tricky for a network of users.

Did you even READ my post? (-1)

Anonymous Coward | about 7 months ago | (#46528163)

Again: I KNOW (on BGP & hosts), 4++ yrs. ago no less -> http://tech.slashdot.org/comme... [slashdot.org] & there's your proof of that much!

APK

P.S.=> However (again): Vs. OTHER "issues" DNS specifically has, such as redirect poisonings (ala the Kaminsky bug, which 99% of ISPs are STILL UNPATCHED FOR NO LESS mind you), hosts work great... apk

I know, dolt (long ago, proof inside) (0)

Anonymous Coward | about 7 months ago | (#46552637)

It stalls issues in DNS (redirects), & BGP? I knew 4++ yrs. ago (did you even read my other posts?) -> http://tech.slashdot.org/comme... [slashdot.org]

(& there's your proof of that much - all the downmods in the WORLD you're doing, obviously via your registered 'luser' account? Don't matter - I have NO POST LIMITS like others ACs here... I'll just post it again, to BURN YOUR ASS pussy!)

APK

P.S.=> However (again): Vs. OTHER "issues" DNS specifically has, such as redirect poisonings (ala the Kaminsky bug, which 99% of ISPs are STILL UNPATCHED FOR NO LESS mind you), hosts work great...

... apk

obvious reason (2, Insightful)

slashmydots (2189826) | about 7 months ago | (#46525515)

This article is slightly incorrect. It's not that they won't "want" to implement it, it's that it would cost money and competition is completely insane right now for ISPs. If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.

Re:obvious reason (1)

saleenS281 (859657) | about 7 months ago | (#46525581)

Where is this fabled competition you speak of? You must not live in the US.

Re:obvious reason (1)

slashmydots (2189826) | about 7 months ago | (#46525725)

You must live in some dumpy, backwards rural area where there's a monopoly. In my city with a whipping 60,000 people, we can get AT&T, Time Warner, TDS, and probably some weird third party DSL ones like MPC, Earthlink, etc. All the major satellite TV providers have 3rd party agreements to lease DSL lines as well so you can get an internet connection "through them" as well.

Re:obvious reason (1)

Anonymous Coward | about 7 months ago | (#46525811)

You must live in some dumpy, backwards rural area where there's a monopoly.

I live in downtown Boston. There is only one option for an ISP that is >768kbps and $200/month.

Re:obvious reason (1)

slashmydots (2189826) | about 7 months ago | (#46526097)

Oh, I forgot to mention overpopulated 400 year old cities with no infrastructure and every other building being a historical site as being internet nightmares as well.

Re:obvious reason (1)

OneAhead (1495535) | about 7 months ago | (#46526233)

Oh, so then can you explain why big European cities, which are much more conservative about touching their >400 years old landmarks, feature sprawling competition, with much higher speeds and lower prices than the old American cities you speak of?

Re:obvious reason (0)

Anonymous Coward | about 7 months ago | (#46526297)

This is where wireless shines, but depending on the perceived ROI, alot of companies won't show up and deploy it unless they'll double their cash in a few years.

Re:obvious reason (0)

Anonymous Coward | about 7 months ago | (#46526169)

Similar situation in parts of downtown Baltimore (except that the price is not nearly that high; $200/m is completely nuts). I can only speculate the place slashmydots lives is to small to be worth the effort of obtaining a monopoly. Either that or it's one of the rare places in the US with some political integrity. Hahahaha kidding.

Re:obvious reason (1)

saleenS281 (859657) | about 7 months ago | (#46526043)

Or I live in a large city whith the options of Comcast or Centurylink. Centurlyink doesn't provide anything faster than 7mbps (advertised) - which actually works out to about 5mbps by the time it hits your door step and struggles to stream anything in high def without buffering indefinitely. So I have one option of Comcast if I want a connection that's faster than what was offered a DECADE ago. Which is about the exact situation 90% of the US broadband market currently faces.

Re:obvious reason (1)

slashmydots (2189826) | about 7 months ago | (#46526107)

You know, netflix caps at 3 megabits in HD. Anyway, I have a 15x1 connection over cable for $38/mo after all fees.

Re:obvious reason (1)

saleenS281 (859657) | about 7 months ago | (#46526149)

That's patently false. Their 1080p "SuperHD" streams will run up to 12mbps if you have that much available.

Re:obvious reason (0)

Anonymous Coward | about 7 months ago | (#46528387)

Centurylink DSL V2

Via Speedtest.net

Ping 36ms

Down 31.19mbps

Up 4.61mbps

over WIFI with a lot of other devices connected it depends on your area.

Re:obvious reason (1)

saleenS281 (859657) | about 7 months ago | (#46528429)

Centurylink doesn't offer FTTN in my area. Their total coverage area is a fraction of their user base.

Most of us have a Duopoly (1)

sjbe (173966) | about 7 months ago | (#46527647)

You must live in some dumpy, backwards rural area where there's a monopoly.

That's pretty condescending. I live in one of the 10 largest metro areas in the US. My broadband choices at my house consist of Comcast where I can get 100mbit speeds or Frontier which gives 6mbit speeds if I want wired access. That means realistically I have one option if I give a shit about the speed of my internet connection. Not exactly what I'd call real competition. Oh I could cut the cord and go wireless I suppose but that has plenty of problems and I'd lose a lot of connection speed and gain a lot of latency plus I'd have to buy a bunch of new hardware or tether my phone every time I want to go online.

Out here in the real world in most places you have at most two sets of data cables (phone and cable tv) coming to your house. You do not have more options than the number of wires available to you even if you have other companies offering you service. Earthlink doesn't have phone lines to your house - the actual last mile is provided by someone else like AT&T. 75% of the US has exactly one landline cable TV option and a similar percent has precisely one phone option. So essentially most of us are under a duopoly. AT&T/Verizon or Comcast/TWC or something similar.

Re:obvious reason (1)

Urza9814 (883915) | about 7 months ago | (#46530005)

Where the hell do *you* live?

I'm in freakin downtown Providence, RI and I have exactly two options: Cox or FiOS. Been here two years, already been screwed over by *both*.

Re:obvious reason (0)

Anonymous Coward | about 7 months ago | (#46526247)

When the cartel fixes prices, the only way to make more money is to cut costs.

Re:obvious reason (1)

Dragonslicer (991472) | about 7 months ago | (#46525655)

If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.

Seems a bit disturbing that "We help prevent your connection to Google from being hijacked by identity thieves" isn't considered a feature.

Re:obvious reason (1)

slashmydots (2189826) | about 7 months ago | (#46525739)

Then they'd have the same problem I do at my computer repair shop. They go download every BHO known to man then call in and claim their ad said they were magically protected from all internet hijacking (browser = internet if user == stupid). People stop into my shop saying obviously I'm wrong because I put on "the best" antivirus and yet they still managed to catch a virus.

Re:obvious reason (1)

RR (64484) | about 7 months ago | (#46526819)

If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.

Seems a bit disturbing that "We help prevent your connection to Google from being hijacked by identity thieves" isn't considered a feature.

They can't do this unilaterally.

RPKI and DNSSEC are important, but they won't work if the resource or domain owner doesn't use them. For example, Google's public DNS service performs DNSSEC validation, but Google's own DNS zones are unsigned and do not validate using DNSSEC. Even with automation, DNSSEC increases the administrative burden of running a domain, so I see why they don't, but I don't excuse them.

Re:obvious reason (1)

Lennie (16154) | about 7 months ago | (#46538133)

It isn't just the administrative burden.

A failure to get DNSSEC right could take down the domain for hours without an easy way to recover.

Re:obvious reason (1)

RR (64484) | about 7 months ago | (#46538785)

A failure to get DNSSEC right could take down the domain for hours without an easy way to recover.

What are you talking about? DNS does that, anyway.

DNSSEC records are distributed and expire just like any other record. Make a mistake deploying DNSSEC, then just fix it, and eventually the bad records will expire and the new ones will take over. The major issue I see is that the TLD registrar needs to hold DS records for your key, so now your registrar needs to do NS, DS, and glue records.

Worst case scenario, you lose the secure entry point keys. So, you use some out-of-band management interface to change the DS records in the TLD. That's slightly worse than without DNSSEC, because you could mess up your zone all you want without involving the TLD administrator. But the bad DS records expire, the new ones take over, you're back in business.

For a company the size of Google, they'll probably want the SEP keys to be held in a HSM. Maybe they'll put all their private keys in a bunch of HSMs. You can have more than 1 DS record, so they can distribute their HSMs as widely as they want. There's no good reason why Google can't do DNSSEC.

Re:obvious reason (1)

Lennie (16154) | about 7 months ago | (#46541087)

The complexity of DNSSEC makes it easier to make such a mistake.

Re:obvious reason (1)

Lennie (16154) | about 7 months ago | (#46541099)

Let me add something: it is extra risk in comparison to non-DNSSEC DNS deployment.

Re:obvious reason (1)

RR (64484) | about 7 months ago | (#46549893)

So you create a working configuration, and you script it.

This is not your neighborhood club's web site. This is Google. I'm sure they have the resources at hand to do configuration management on their DNS servers. So, once it's set up, you just need to renew the registrar's DS records appropriately. You need to communicate with your registrar regularly, anyway, to keep your zone from expiring. Unless you want your cloud to fall down like a Microsoft cloud.

Greater complexity is usually greater risk, but we already know that not having DNSSEC is risky. DNSSEC was invented to eliminate certain types of risks.

Re:obvious reason (1)

Jane Q. Public (1010737) | about 7 months ago | (#46525987)

" It's not that they won't "want" to implement it, it's that it would cost money and competition is completely insane right now for ISPs."

Are you in the United States? If so, you're nuts. Your local situation does not translate to the rest of the country.

80% of the people here live where there is a cable monopoly. Mostly Comcast or Time-Warner. In most places DSL is not as fast for the money, and satellite has too much latency for business use.

"Competition", my ass. They don't do it because it costs money, but their customers are locked-in, so they don't have to.

Why do you think broadband is so much more expensive in the U.S. than it is in the rest of the Western world? That's right: lack of competition.

Re:obvious reason (1)

Gothmolly (148874) | about 7 months ago | (#46526837)

Because the cities grant monopolies to companies. You don't bring a dollar to a gunfight, unless you bring a lot of dollars.

what competition? (0)

Anonymous Coward | about 7 months ago | (#46527629)

In my area, for high speed, we have ATT and Comcast. If you want more than 10Mbps, you have Comcast and that's it. If you want unlimited bandwidth, you also only have Comcast. That's 1 ISP, just one. So please tell me, where's that competition that's so insane right now?

Its one of their main tools (0)

Anonymous Coward | about 7 months ago | (#46525553)

Of course ISPs don't want DNS security.
They abuse it regularly in order to "manage" the traffic on their network, and for commercial gain.

Custom hosts files to the rescue (-1)

Anonymous Coward | about 7 months ago | (#46525705)

Vs. DNS faults: How/Why? This (see B below) - Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Re:Custom hosts files to the rescue (0)

Anonymous Coward | about 7 months ago | (#46525865)

Well that's odd considering you've been 'dead' about a year now.. They have Internet-access in Hell then? is it 45 years alive devel, or 44 + 1 dead?

Re:Custom hosts files to the rescue (0)

Anonymous Coward | about 7 months ago | (#46525943)

It's hilarious seeing you trolls fail constantly vs. apk on hosts. When the best you got is nothing more than illogical off-topic trolling and failed ad hominem attacks, yet being unable to validly disprove apk's points on hosts giving users more speed, security, reliability, & even anonymity? Well, it says it all: You failed.

Re:Custom hosts files to the rescue (1)

lister king of smeg (2481612) | about 7 months ago | (#46527035)

Or I could just apt-get install bind9 and run my own dns server with much less hassle then configuring my host file on ever computer and devise on my network.

DNS = MORE "moving parts" complexity (-1)

Anonymous Coward | about 7 months ago | (#46527081)

Plus more room for breakdown & power consumption, as well as wasting CPU cycles, RAM, + other forms of I/O for doing what hosts can do, easily (especially with my app -> hhttp://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 ) ?

* Yea, lol... you COULD do that!

APK

P.S.=> Moving a custom hosts file around a network = cake too (logon scripts or chronjob/tasks scheduler from a central admin account & workstation/server), especially since hosts keep you SAFE from the FAULTY DNS system, by avoiding it totally... peirod!

... apk

DNS = more moving parts complexity (0)

Anonymous Coward | about 7 months ago | (#46552551)

Plus more room for breakdown & power consumption, + wasting CPU cycles, RAM, + other forms of I/O for doing what hosts can do, easily (especially with my app -> http://start64.com/index.php?o... [start64.com]

* Yea, lol - You COULD do that (what YOU do) & be a fool... like the FOOL who downmodded my last post just like this one (same material), but yet CAN'T DISPROVE MY POINTS... period.

APK

P.S.=> Moving a custom hosts file around a network = cake too (logon scripts or chronjob/tasks scheduler from a central admin account & workstation/server), especially since hosts keep you SAFE from the FAULTY DNS system, by avoiding it totally... peirod!

... apk

DNS = FULL of security faults (0)

Anonymous Coward | about 7 months ago | (#46552575)

Plus more room for breakdown via complexity & power consumption, + wasting CPU cycles, RAM, + other forms of I/O for doing what hosts can do, easily (especially with my app -> http://start64.com/index.php?o... [start64.com]

* Yea, lol - You COULD do that (what YOU do) & be a fool... like the FOOL who downmodded my last post just like this one (same material), but yet CAN'T DISPROVE MY POINTS... period.

APK

P.S.=> Moving a custom hosts file around a network = cake too (logon scripts or chronjob/tasks scheduler from a central admin account & workstation/server), especially since hosts keep you SAFE from the FAULTY DNS system, by avoiding it totally... peirod!

... apk

Re: Custom hosts files to the rescue (0)

Anonymous Coward | about 7 months ago | (#46528213)

ring 0? i always thought hosts was parsed by glibc! wait is glibc part of the kernel now? ... nope!

approximatively korrect? is that it?

You FAIL troll (hosts = part of the IP stack) (-1)

Anonymous Coward | about 7 months ago | (#46528351)

Tcpip.sys driver specifically uses it (since it does dns resolution first by default). This is the order:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:00000007
"HostsPriority"=dword:00000005
"LocalPriority"=dword:00000006
"NetbtPriority"=dword:00000008
"Name"="TCP/IP"

That IS ring 0/rpl 0/kernelmode (pnp driver design iirc) in Windows... & since BOTH Linux + Windows & most others OS use a BSD dervied IP stack? Guess what - YOU'RE WRONG - unless the dolts who make the "Open SORES" OS' fucked that up too (because there's roughly a 100 fold speed difference between usemode/ring 3/rpl 3 & kernelmode/ring 0/rpl 0 due to privelege largely & less overheads).

APK

P.S.=> Again, YOU FAIL, troll - "no small wonder" YOUR TECHNICALLY WEAK ASS posts as ac while trolling me (since I've obviously TORCHED YOUR ASS on tech before), since you're not sure of yourself OR your b.s. you spout... apk

Re: You FAIL troll (hosts = part of the IP stack) (0)

Anonymous Coward | about 7 months ago | (#46528521)

You are certainly knowledgeable of Linux and BSD (no less) oh! great A.K.! I can only bow in front of you! You are the master AKs... sorry ACs!

"Rinse, Lather, & Repeat" troll... apk (-1)

Anonymous Coward | about 7 months ago | (#46528801)

No, you just PLAIN FAILED, troll (& badly) -> http://tech.slashdot.org/comme... [slashdot.org]

* :)

You did that, to yourself shooting your mouth off on technical data you had NO CLUE on evidently... so no doubt I'm also correct on WHY YOU POST AS AC WHILE YOU TROLL ME (you know you're going to screw up is why).

APK

P.S.=> "Here endeth the lesson" (main one is RESPECT YOUR BETTERS chump, in me) - remember it, so you don't sound as STUPID as you did (hosts are part of the IP stack & that is a kernelmode process, & faster than usermode)... apk

Re: "Rinse, Lather, & Repeat" troll... apk (0)

Anonymous Coward | about 7 months ago | (#46529555)

Please consult a mental healthcare professional.

Re: "Rinse, Lather, & Repeat" troll... apk (-1)

Anonymous Coward | about 7 months ago | (#46529625)

Why should he? You've made yourself out a fool http://tech.slashdot.org/comme... [slashdot.org] and apk simply annihilated you for it.

Dear Master of ACs (0)

Anonymous Coward | about 7 months ago | (#46529785)

For what it is worth (I think your satisfied with your ignorance), glibc is the library used, on most unices, to resolve hostnames. This is the _source_.

https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/gethnamaddr.c

Sure r0 is faster than r3, who would discuss contradict that? Seriously, though, why would you bloat the kernel with such thing as hostname resolution (whether it is using DNS, Namecoin, or /etc/hosts). If something is wrong with the interpreter, you have a segfault; not a syscrash. One would be brain dead to implement layer 7 in the kernel.

If it's not in kernelmode (-1)

Anonymous Coward | about 7 months ago | (#46529899)

It's slower, period (which you concede): So, there's no question of what I said: It's part of the why of WHY I wrote my app (does more, with less, by far) -> http://start64.com/index.php?o... [start64.com]

Why do things in ring 0/rpl 0/kernelmode vs. ring 3/rpl 3/usermode? Speed... heck, that's why I'd do it there too - if you're NOT?? Then, you're obviously NOT interested in maximum performance.

APK

P.S.=> Anyhow, these trolls always *TRY* to "give me guff" & by ac posts... why bother? All they DO is make ME look GOOD & themselves?? Well... lol, "not so good"... apk

Re:If it's not in kernelmode (0)

Anonymous Coward | about 7 months ago | (#46529961)

Seeing you not respond to my claims about glibc, I strongly suspect your conceding a point.

Obviously, I am not all about performance. But I see _you_ do. So I am eager (and probably others) to see you demonstrate your "all in ring 0" system. Come talk to me again and I'll give you my website's address. ;)

But the whole point, because you seriously disgressed, was about BGP problems. And when you see them affect DNS, the question was: "what are companies waiting for?".

Well, here comes APK with his hosts file solution. Why you might ask him, "because it is faster"...

What point? Usermode = SLOWER? (-1)

Anonymous Coward | about 7 months ago | (#46530023)

I agreed & I operate in kernelmode in essence (the resultant hosts file from my app is a filter used by the IP stack in Windows... period/fact).

LOL - So, (if the "Open SORES" people like that, apparently according to you, they do.. lol!) - personally, I think it's stupid if THAT is the approach they're using for a file parse & comparison (a few lines of code @ most tops in a loop). Get ALL YOU CAN out of it, if & when possible, in kernelmode.

APK

P.S.=> Now, on errtrapping, "niceties" of usermode you're extolling? Hey - after 45++ yrs. of optimization, it'd be NICE to put in (you don't do that in drivers, they have to perform @ the MAX), but after that much tme, you can bet the IP stack is VERY solid (as well as fast) @ what it does or can do in a STABLE fashion.

Serious Question:

Do you code?

I do... however on YOUR part??

If so, you KNOW errtrapping slows up code (quite a lot via its canaries & tests) - after a while, if code is solid? Pull it.. you get a LOT more speed... apk

What "point"? Usermode (needlessly) = SLOWER? (0)

Anonymous Coward | about 7 months ago | (#46563063)

I agreed & I operate in kernelmode in essence (the resultant hosts file from my app is a filter used by the IP stack in Windows... period/fact).

LOL - So, (if the "Open SORES" people like that, apparently according to you, they do.. lol!) - personally, I think it's stupid if THAT is the approach they're using for a file parse & comparison (a few lines of code @ most tops in a loop). Get ALL YOU CAN out of it, if & when possible, in kernelmode.

ALL YOUR DOWNMODS OF MY POSTS DON'T CHANGE A THING EITHER, TROLLS: You FAILED vs. myself, as always, due to your LIMITED brains being quite blantantly obviously, inferior.

APK

P.S.=> Now, on errtrapping, "niceties" of usermode you're extolling? Hey - after 45++ yrs. of optimization, it'd be NICE to put in (you don't do that in drivers, they have to perform @ the MAX), but after that much tme, you can bet the IP stack is VERY solid (as well as fast) @ what it does or can do in a STABLE fashion.

Serious Question:

Do you code?

I do... however on YOUR part??

If so, you KNOW errtrapping slows up code (quite a lot via its canaries & tests) - after a while, if code is solid? Pull it.. you get a LOT more speed - SO SAME IDEA FOR MOVING A PORTION OF THE OS OUT OF FAR FASTER KERNELMODE INTO USERMODE SLOWNESS - why bother, WHEN THE IP STACK is PROVEN & MATURE + STABLE? There's NO POINT in doing it - that's STUPID, period... apk

Re:If it's not in kernelmode (1)

unixisc (2429386) | about 7 months ago | (#46536571)

There are 4 rings, so if something is too slow in r3, why not move it to r2 or r1, as opposed to r0?

Cuz it's STUPID to do... apk (-1)

Anonymous Coward | about 7 months ago | (#46537079)

The IP stack's SOLID & MATURE, in Ring 0 (for speed) - Windows does!

(Apparently, the "Open SORES" crew did a STUPID THING moving hosts file parsing to usermode SLOWNESS)

For what? Control??

Ahem/Again: WTF do you NEED THAT FOR, when the IP stack's stable, mature, & PROVEN over nearly 50 yrs.?

Answer = you DON'T!!! It detracts from performance, bigtime... It's no first doing it that way either: Windows "copiied" *NIX variants on a RELATED FRONT (moving http.sys to kernelmode) - that tell you ANYTHING? It does me... it works!

I led to an example in 1 of my replies about pulling debug code & errtrappers (even in usermode apps) - you get a BIG BOOST in speed (since you're not testing stack canaries etc.)... hence, that?

Leads to my point here: When something's SOLID in code, you can omit doing trapping basically (for greater speed/performance since it is SOLID)... & the Open SORES crew fucked that up - read your OWN telling you that much, here, today -> http://linux.slashdot.org/comm... [slashdot.org] (read that entire exchange).

APK

P.S.=> In ANY event? As per usual?? My wannabe "naysayers/detractors" RUN ("Forrest, RUN!!!) vs. my points, like this one http://tech.slashdot.org/comme... [slashdot.org] that I just noted above, but I also "telegraph" WHY now (by this point, might as well)... & the results? In MY favor... as always! apk

Cuz it's STUPID to do... apk (0)

Anonymous Coward | about 7 months ago | (#46562979)

The IP stack's SOLID & MATURE, in Ring 0 (for speed) - Windows does!

(Apparently, the "Open SORES" crew did a STUPID THING moving hosts file parsing to usermode SLOWNESS)

For what? Control??

Ahem/Again: WTF do you NEED TO DO THAT FOR, when the IP stack's stable, mature, & PROVEN over nearly 50 yrs.?

Answer = you DON'T - It detracts from performance, bigtime...

It's no first doing it that way either: Windows "copiied" *NIX variants on a RELATED FRONT (moving http.sys to kernelmode for IIS6) - that tell you ANYTHING? It does me... it works!

I led to an example in 1 of my replies about pulling debug code & errtrappers (even in usermode apps) - you get a BIG BOOST in speed (since you're not testing stack canaries etc.)... hence, that?

Leads to my point here: When something's SOLID in code, you can omit doing trapping basically (for greater speed/performance since it is SOLID)... & the Open SORES crew fucked that up, clearly!

PROOF - Read your OWN telling you that much, here, today -> http://linux.slashdot.org/comm... [slashdot.org]

ALL YOUR DOWNMODS OF MY POSTS DON'T CHANGE A THING EITHER, TROLLS: You FAILED vs. myself, as always, due to your LIMITED brains being quite blantantly obviously, inferior.

APK

P.S.=> In ANY event? As per usual?? My wannabe "naysayers/detractors" RUN ("Forrest, RUN!!!) vs. my points, like this one http://tech.slashdot.org/comme... [slashdot.org] that I just noted above, but I also "telegraph" WHY now (by this point, might as well)... & the results? In MY favor... as always! apk

IF it's not in KERNELMODE (0)

Anonymous Coward | about 7 months ago | (#46563011)

It's SLOWER, period (which you concede): So, there's no question of what I said: It's part of the why of WHY I wrote my app (does more, with less, by far) -> http://start64.com/index.php?o... [start64.com]

Why do things in ring 0/rpl 0/kernelmode vs. ring 3/rpl 3/usermode? Speed... heck, that's why I'd do it there too - if you're NOT?? Then, you're obviously NOT interested in maximum performance AND in actually SLOWING THINGS DOWN, needlessly!

WTF do you NEED TO MOVE IP STACK WORK INTO USERMODE SLOWNESS (vs. kernelmode speed, as Microsoft did the right thing for IIS6 http.sys, moving it from usermode SLOW into kernelmode FAST), when the IP stack's stable, mature, & PROVEN over nearly 50 yrs.? Answer = you DON'T - It detracts from performance, bigtime...

ALL YOUR DOWNMODS OF MY POSTS DON'T CHANGE A THING EITHER, TROLLS: You FAILED vs. myself, as always, due to your LIMITED brains being quite blantantly obviously, inferior.

APK

P.S.=> Anyhow, these trolls always *TRY* to "give me guff" & by ac posts... why bother? All they DO is make ME look GOOD & themselves?? Well... lol, "not so good"... apk

You FAIL troll (hosts = part of IP stack) (0)

Anonymous Coward | about 7 months ago | (#46552595)

Tcpip.sys driver specifically uses it (since it does dns resolution first by default). This is the order:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:00000007
"HostsPriority"=dword:00000005
"LocalPriority"=dword:00000006
"NetbtPriority"=dword:00000008
"Name"="TCP/IP"

Yes - That IS ring 0/rpl 0/kernelmode (pnp driver design iirc) in Windows... since the IP stack has ~ 50 yrs. of maturity & stability (no need to place it in usermode).

Since BOTH Linux + Windows & most others OS use a BSD dervied IP stack? Guess what - YOU'RE WRONG - unless the dolts who make the "Open SORES" OS' fucked that up too (because there's roughly a 100 fold speed difference between usemode/ring 3/rpl 3 & kernelmode/ring 0/rpl 0 due to privelege largely & less overheads), which apparently (lmao) THEY HAVE (read the words of your OWN people saying so):

http://linux.slashdot.org/comm... [slashdot.org]

APK

P.S.=> Again, YOU FAIL, troll (including your WEAK DOWNMODS to *try* vainly & effetely "hide" my posts that put your ass to rest easily with facts)... lol!

Man - "no small wonder" YOUR TECHNICALLY WEAK ASS posts as ac while trolling me (since I've obviously TORCHED YOUR ASS on tech before), since you're not sure of yourself OR your b.s. you spout...

...apk

Re:Custom hosts files to the rescue (1)

unixisc (2429386) | about 7 months ago | (#46536553)

It's nice to know that /etc/hosts will solve the problem of NSA spying, Snowden, Russian intervention in Ukraine, Crimean secession and so on.

Did I say that? Show me where... apk (-1)

Anonymous Coward | about 7 months ago | (#46537145)

Stop *trying* to put words in my mouth I never said, fool: Trolls do that...

APK

P.S.=> Which, of course, means you're another TROLLING SCUM I've burnt on what THEY consider "their ballcourt" (computing), & with EASE (+ facts), as-per-my-usual... & thus?

Well - lol, you just KNOW I've just GOTTA say it, now don't you?? Of course you do:

THIS? This was just "too, Too, TOO EASY - just '2ez'"... & it always is, vs. the technically WEAK unable to think for themselves incompetents here on /., lmao - especially considering I've WIPED THE FLOOR with your "best & brightest" Forrest Gump level wannabe 'computing experts' so easily... apk

It's yet another symptom (0)

Anonymous Coward | about 7 months ago | (#46525719)

The problem is lack of competition in the industry. When consumers have no choice, the ISPs have no reason to do anything but support the status quo (aka not spending money on improving).

Realistic maybe? (1)

jbmartin6 (1232050) | about 7 months ago | (#46525851)

Probably because ISPs have much more immediate and probable threats to deal with. Let's inject a little bit of reality into the discussion. Correct me if I am wrong, but actual attacks (as opposed to misconfigurations) through routing insecurity on the global Internet number zero. (Unless you count state level attempts at censorship, which is moot in this case where we are asking why ISPs don't do more) This Google hijack was quickly corrected thanks to all the monitoring and response procedures that are in place. Yes, I understand that is a fun 22 minute window for hijinx to ensue. There are also lots of easier ways to enact these hijinx, hence the number of attacks is zero. DNS attacks at the server level are relatively rare compared to all the other ways criminals can get what they are after. Security effort is a scarce resource, just like any other, and it will tend to get spent where the return is highest.

RPKI (0)

Anonymous Coward | about 7 months ago | (#46525893)

It is not that far too few ISPs bother with RPK, it is that RPKI is not yet ready for prime time (use as actual enforcement). Not all versions of vendor router software that are currently deployed can support RPKI, and ROAs (Route Origin Authorizations), which are key to determining route validity, are not widely created. RPKI is moving forward, but just as with DNSSEC, it is going to take time to see wide implementation and deployment. If practice was as simple as theory chief scientists would already be producing unlimited power from fusion.

Re:RPKI (2)

8-Track (581029) | about 7 months ago | (#46526349)

Global RPKI deployment stats can be found here; Europe is doing pretty well, growing at a healthy pace: http://certification-stats.rip... [ripe.net] As far as router support goes, Cisco and Juniper are doing a good job with support across the platforms: https://www.ripe.net/lir-servi... [ripe.net] But with other vendors, RPKI support is pretty much non-existent. Though it's not a requirements to use RPKI data natively on the router, you can also just use validated ROAs from an API, for example: http://localcert.ripe.net:8088... [ripe.net]

Re:RPKI (1)

Lennie (16154) | about 7 months ago | (#46538309)

Not that I think RPKI is bad, or it's good what RIPE is doing, but these stats say nothing about validation in the field.

Central point of failure (0)

Anonymous Coward | about 7 months ago | (#46526223)

Central point of failure says what?

Why the hell would they want Google DNS to work? (3, Interesting)

tlambert (566799) | about 7 months ago | (#46526259)

Why the hell would they want Google DNS to work?

They intermediate DNS all the time,in order to do proxy caching, and to prevent you going to high bandwidth sites without a lot of difficultly, or to land you on a page when you hit a non-existant domain because of a typo, and they try to sell it to you.

One wireless carrier, on their WiFi hotspot-only options, used to move you off their 4G network and onto their 3G by having intentional "DNS outages" that pointing to Google's DNS worked around. 3G had a data cap for which they got paid, 4G was no data cap, so the benefit to them for you using the DHCP assigned DNS was enormous: large amounts of data charges.

Even if they aren't screwing with the results for their own reasons, you hitting Google for all your DNS lookups means that they can't cache DNS responses, which means that they have to support more DNS traffic out and responses in on their network than they otherwise would need to.

None of these are beneficial to their bottom line.

OpenDNS for the win (1)

Anonymous Coward | about 7 months ago | (#46526333)

Not a shill, just educating: in case anyone needs better (and free) DNS for their parents/dumb relatives/noobs continuously getting spyware and malware by clicking on everything they see, OpenDNS is a great start. Their commercial product is useful for small/medium business as well. http://www.opendns.com/

The brilliant simplicity is that even if you get a dropper/adware/malware on your machine, if it can't resolve a malware domain to pull its payload from, it's effectively dead on your machine until your virus scanner catches it.

If it's not broke, don't fix it (3, Interesting)

RR (64484) | about 7 months ago | (#46526933)

I see this attitude all the time with managers. It's like a mantra:

If it's not broke, don't fix it.

It's blocking IPv6, it's blocking DNSSEC, it's blocking RPKI, it's blocking Windows XP retirements. There are a lot of improvements that are stymied because change is considered more scary than just living with the problem.

But it is broke. Computers are hugely complex and buggy. We need the upgrade treadmill just to stay ahead of threats to our computing. Computers are incredibly malleable, and collectively we need major changes. I would be seriously depressed if our current state became the pinnacle of computing.

Re:If it's not broke, don't fix it (1)

zyzko (6739) | about 7 months ago | (#46527669)

Managers?

I see this all the time with tech-oriented people as well. They say that we don't need IPv6 because IPv4 and NAT works just fine, and XP is the best thing ever and it is just greed by Microsoft to not support it. What separates tech people and managers is that managers count money. IPv6 and DNSSEC implementation cost money.

Techies who oppose these often cloud their inability or non-desire to learn something new and "complex" in "if it works, don't fix it". Which of course also comes down to investment - if you have to invest your time to learn something new with no immediate (as in pay raise *now* opposed to "able to get a job in 2 years") reward it is easy to write off improvement as unnecessary.

Re:If it's not broke, don't fix it (0)

Anonymous Coward | about 7 months ago | (#46543909)

IPv6 is complicated. Why would we want to change? We're not running out of IPv4 addresses.

That's the attitude I face. They just want to turn it off rather than find out if an app doesn't support IPv6 and having to do a bit more DNS work to create an IPV4-only entry that isn't associated with the auto-registered Windows hostname so that clients don't have timeout delay issues.

Not yet (1)

vanyel (28049) | about 7 months ago | (#46527281)

"too few ISPs bother with it" [RPKI] because "Cisco Systems is committed[4] to offering this functionality in Cisco IOS. Juniper Networks is working on an implementation[5] for Junos as well", i.e. it doesn't exist yet. DNSSEC exists, but is very challenging to implement and is fragile, though recent BIND implementations have improved that situation considerably. DANE will build on top of that, so there *is* hope for the future, but it is still the future.

the only reason (0)

Anonymous Coward | about 7 months ago | (#46530627)

snowden is right about the nsa, and they are subverting security for there own purposes of controlling

this is one way the nsa and your govt where ever you are can control you..... ...sign sign everywhere a sign barkin up the scenary breaking my mind..do this dont do that cant ya read the ...webpage.....

Custom hosts files to the rescue (0)

Anonymous Coward | about 7 months ago | (#46552529)

Vs. DNS faults: How/Why? This (see "B" below) - Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?