Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

MaraDNS Re:Thoughts from MaraDNS' implementer (179 comments)

TL;DR The grandparent complained about MaraDNS not having more features. He responded to my "show me the money" reply by saying "why should anyone pay you if you don't have more features". My reply: "Because DNS shouldn't be a monoculture".

(As an aside, I actually somewhat respect the parent poster because he does a reasonable job of articulating his points. His thinking is a little rigid and absolute "this is how it must be done" for my tastes, but he at least has clue, something becoming rarer and rarer as Slashdot slowly goes the way of the horse and buggy)

Another thing I forgot to add: Why use MaraDNS.

Since I have Karma to burn, and since it probably would be best if my Karma went to hell, discouraging me from wasting time on Slashdot, here's my thoughts on the negative moderations:

Sure, the first post came off as an ad. I wrote it too quickly, and I can see why a moderator didn't like it. I can also see why a moderator--perhaps the same one--didn't like the parent to this. A good number of Slashdot readers still live in that "everything should be free and no one has bills to pay since they all live in my mother's basement [1] like I do" neckbeard fantasyland probably don't like how I pointed out that it's going to take real money for MaraDNS to get DNSSEC or have rate limiting. They probably stopped there and moderated down (the post was also too long, but a long post deserves a long reply).

[1] In other cultures, multiple generations living under the same roof is normal; I feel the idea that a kid has to move out of the house at 18 to be a real man is one that is bad for families. It's actually in many ways good when a 45-year-old man still lives in his mother's basement, since he will become the one taking care of his aging mother instead of sending her to a nursing home.

OK, I'm out of Slashdot for the rest of 2013. I will not post here until the beginning of 2014. The moderators hath spoken and I really need to get out of the shithole Slashdot is becoming. MaraDNS is the past; it's time for me to make a new mark on the world!

about a year ago

Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

MaraDNS Re:Thoughts from MaraDNS' implementer (179 comments)

lack of EDNS support is a potential problem

"Potential" being the operative word. Truncated DNS packets still have enough information in them to answer DNS questions, and the only time I've really seen truncated packets is with some of the byzantine DNS packets Yahoo has.

DNSSEC support is critical

But not critical enough for someone to send me the money to make DNSSEC happen with MaraDNS: It's really the same problem IPv6 has: All kinds of geeks talk about how great it would be if IPv6 were everywhere, but they don't put out the money for IPv6 to happen more quickly.

It's still possible to resolve domains and surf the web without DNSSEC. I know: MaraDNS 2.0 (Deadwood) is being used to resolve (and all the other places I go) so I can make this posting. Yes, there are issues with someone with a packet sniffer forging DNS packets on the same network, and I do agree DNSSEC is needed on a larger network with infected machines, and is needed for a DNS server that calls itself secure, but it is working for me right now.

(For sites where forgery is a real problem, such as online banking, I use a special virtual machine and make sure the HTTPS certificate is kosher)

DNS resolvers should not be usable by the world.

Google, OpenDNS, and heck, Level3 disagree with you. That said, I mostly agree: That's why there are no examples in MaraDNS' documentation showing how to make a recursive nameserver globally resolvable, and why it has never been a default configuration in Mara.

Any DNS server that provides recursive DNS ought to not simultaneously provide authoritative DNS from the same service, or from the same IP.

That's the design MaraDNS 2.0 has: I removed the recursion from the "maradns" daemon and completely, from scratch, reimplemented recursion in a separate daemon, which has to run on a separate IP. Not one line of code is shared between the two.

I fully expect any government or corporate grants will go towards DNS server implementations that are more widely used

I understand your sentiment, but, software monoculture is a bad thing and software diversity is a good thing.

When DNS first showed up in the 1980s, there were a number of different implementations. By the time I started MaraDNS 12 years ago, there was only one usable open-source DNS server out there. When I finished MaraDNS, there were five or six (depending on whether Unbound/NSD counts as one or two) different actively maintained significant open-source DNS servers out there. That number has since gone down (none of the djbdns forks came out with a release that fixes CVE-2012-1191). I hope that number continues to be higher than one.

An attitude of "let's only support one DNS server" can return us to the world of a DNS monoculture. EDNS, DNSSEC, and all of these extensions to DNS do not help.

I don't like how CSS, Javascript, and HTML have become such a mess that it requires multi-million dollar grants to keep a browser current, and where Opera finally threw in the towel because they just couldn't keep up with the nonstop update treadmill browsers are on. Dillo doesn't even try to be current (I think they made a mistake trying to support CSS at all, but that's another discussion for another day).

While I disagree with DJB on a lot of things, I understand why he rejected DNSSEC and proposed DNSCURVE: He wanted to keep DNS simple, to keep DNS something that a single talented developer can implement in their spare time.

For better or for worse, DNSSEC won, and now DNS is no longer can practically be implemented by a one-man show any more.


I agree PowerDNS is a good choice, especially for people who want a database back end, but I'm disappointed it took them over a year to patch CVE-2012-1193 (which only affects the recursor).

not to discount MaraDNS, but it seems like a dead-end

You know, I tend to agree with you. Software has a lifecycle, and MaraDNS is probably near the end of hers. I still will fix bugs, and I will still make sure MaraDNS is usable on the internet for the foreseeable future, and as IPv6 slowly becomes the norm, I will probably make sure Mara is still usable with all of IPv6's changes (IPv6 has been implemented but not fully tested). But, without DNSSEC, EDNS, and whatever else they throw in the DNS kitchen sink, MaraDNS will probably become more and more dated as the 2010s go on.

But, you know, I made my mark on the world and I made my contribution to open source. I'm very proud of what I did, and how I was a big part of breaking the DNS monoculture of the early 2000s.

What's your mark on the world? What can you point to and say "I made this, this is what I have contributed to this planet"?

about a year ago

Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

MaraDNS Re:Article is garbage (179 comments)

Out of all those though, rate limiting seems to make the most sense and is the lesser of the evils.

Except for the fact that some DNS servers do not have rate limiting nor the funds to implement rate limiting (it's non-trivial to implement), you're right.

In my case, without EDNS support, the highest amplification factor my DNS server has is 23x (as opposed to the 100x+ EDNS servers have). Also: My server doesn't have open recursion enabled by default.

about a year ago

Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

MaraDNS Thoughts from MaraDNSâ(TM) implementer (179 comments)

As the implementer of MaraDNS, here are my thoughts:

  • 1) MaraDNS 1 and Deadwood do not support a technology called "EDNS" that allows for large DNS packets. By only supporting 512-byte packets, both DNS servers do not allow for the 100x amplification used in this DDOS that other DNS servers have.
  • 2) My DNS software does not come with unrestricted recursive access enabled by default, and the documentation strongly discourages open recursion.
  • 3) I will have to double check, but, as I recall, the documentation and example configuration files do not include an example with unrestricted recursive access.

One feature that would be nice would be to be able to restrict how much data my DNS server sends to a given IP (again, as noted above, MaraDNS/Deadwood already has a form of this because they do not support EDNS). Unfortunately, since I am not developing new features for MaraDNS like this without being compensated for my time, I would need a corporate or government grant to implement this. TANSTAAFL

about a year ago

ICANN Reveals Regional Winners of New gTLDs

MaraDNS Re:My opinion (69 comments)

I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?

If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.

If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.

about a year ago

Google Implements DNSSEC Validation For Public DNS

MaraDNS Re:Unicode support or lack thereof (5:erocS) (101 comments)

Make that 2 years, 3 months, and 2 days.

Slashdot: 2001 called and wants their lack of ability to edit posts (perhaps with a timeout to stop some forms of abuse) back. I swear, this place is becoming almost as musty as Usenet.

about a year ago

Google Implements DNSSEC Validation For Public DNS

MaraDNS Re:This story is ... (101 comments)

You're right of course; it's just not possible to fully describe the differences between DNSSEC and DNScurve in a 250-word summary written for people who think DNS is just some "boring subject". I chose readable over "pedantically accurate", along with a disclaimer that some details were lost in the interest of brevity and readability.

about a year ago

Google Implements DNSSEC Validation For Public DNS

MaraDNS Re:This story is ... (101 comments)

DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.

Back then, there were two DNS servers out there:

  1. BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
  2. DJBDNS, which was and by and large is secure, but had a weird maybe-not-open license and lots of quirks

LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)

The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.

(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)

(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

about a year ago

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

MaraDNS Quick thoughts from a DNS implementer (313 comments)

Really quickly:

  • DNScurve, as pointed out above, doesn't do nearly as much as DNSSEC does. In particular, DNScurve still allows "NXDOMAIN recirection" but DNSSEC doesn't. In addition, Bind, NSD, Unbound, and PowerDNS (non-recursive) have DNSSEC support, but there is not a mainstream DNS server out there with DNScurve support.
  • djbdns hasn't been updated since 2001 and even the unofficial forks do not have patches for all three CVE security holes in DjbDNS. Since DjbDNS' goal was security, I consider it abandoned until someone makes a fork fixing all of the known security problems.
  • There are ways to make blind DNS spoofing almost impossible without needing to add complex cryptography. Crypto, however, is needed when the attacker can watch the DNS packets that the victim sends.
  • I would love to implement DNSSEC for MaraDNS, but I would need $50k US to pull it off. I would like make it a kickstarter project, but I think people would rather just use Unbound/NSD (which, unlike MaraDNS, was funded with a government grant) instead of throwing money my way.

about a year and a half ago

Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

MaraDNS Re: (193 comments)

djbdns has not been updated since 2001 and even the unofficial forks have not addressed important issues like the security problem CVE-2012-1191.

If you want DNSSEC and don't want BIND, your only other open-source option is Unbound; MaraDNS doesn't have DNSSEC either, and PowerDNS only has it for the authoritative code.

more than 2 years ago

Internet Systems Consortium Seeks Wider Input For BIND 10

MaraDNS Re:BIND alternatives (60 comments)

It's akin to an office suite because -- except for BIND, which is monolithic -- you have two distinct programs with different functions: The authoritative and recursive program. Just like you have a word processor and spreadsheet in an office suite.

Rick Moen explains it quite well.

more than 2 years ago

Internet Systems Consortium Seeks Wider Input For BIND 10

MaraDNS Re:BIND alternatives (60 comments)

Last time I looked at DNS curve, it has absolutely no traction. None of the five DNS servers I listed above -- not even djbdns -- come with DNScurve support.

more than 2 years ago

Internet Systems Consortium Seeks Wider Input For BIND 10

MaraDNS Re:BIND alternatives (60 comments)

This conversation has hit the point that it's best continued in private email. I am not going to reply to any more of your postings.

more than 2 years ago

Internet Systems Consortium Seeks Wider Input For BIND 10

MaraDNS Re:BIND alternatives (60 comments)

Sigh. I give up. Yes, I was technically being a little inaccurate, and yes, there are a zillion ways I could have explained that entire mess better, such as linking to Rick's excellent explanation of different DNS server types.

It frustrates and annoys me that you are being so dang pedantic about the issue. I think it would do you well to think about why it is that you annoy a lot of people.

more than 2 years ago

Internet Systems Consortium Seeks Wider Input For BIND 10

MaraDNS Re:BIND alternatives (60 comments)

Voice-Family: Leo having a conversation with Sheldon in an episode of "The Big Bang Theory".

No, Unbound and NSD do not have HTTP servers. Come on. I was just trying to explain a complicated concept in a half sentence; it's called an analogy.

To make the pedants happy: A DNS server is, if you will, akin to an office suite. Yeah, what's really going on is that there is an "authoriative DNS server" that serves arbitrary name-to-data mappings so that programs called "recursive DNS servers" can give said mapping to a client program and there's also non-recursive forwarding DNS servers and blah blah blah. I think the audience is falling asleep at this point...

Now, when I said above that a DNS server is akin to an office suite, I wasn't saying that there is a spreadsheet and a word processor included with DNS servers. However, if someone were willing to sponsor it, I would be perfectly happy to make a version of MaraDNS that uses SINK RRs and dynamic updates to allow people to perform document collaboration via DNS.

more than 2 years ago

Internet Systems Consortium Seeks Wider Input For BIND 10

MaraDNS BIND alternatives (60 comments)

Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE

Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE

PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE

MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE

DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.

There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones

more than 2 years ago




MaraDNS tentative roadmap

MaraDNS MaraDNS writes  |  more than 4 years ago

At this point, I have implemented, with one notable exception, all of the features MaraDNS 2.0 should have. The one and only feature I plan on still implementing is full recursion for the Deadwood engine.

The following roadmap is completely speculative; I might decide to stop MaraDNS development and only provide basic bugfix support for MaraDNS/Deadwood:

  • Implement recursion for Deadwood, and release this as Deadwood 3.0 (Deadwood 2.0 will still be supported as the Deadwood 2.3 branch for people who need a very small program on embedded devices or a high-performance DNS load balancer)
  • Release MaraDNS which will be MaraDNS 1.3.14 with bugfixes applied.
  • Release MaraDNS 2.0.01, which will be MaraDNS with Deadwood 3.0, and all the old recursive code torn out.
  • Announce EOL timeline for MaraDNS 1.3.07.XX
  • Not implement any new features for MaraDNS for a period of six months or longer after 2.0.01 is released

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account