Dear PowerDNS Users,
Two major vulnerabilities have recently been discovered in the PowerDNS
Recursor (all versions up to and including 3.1.7.1). Over the past two
weeks, these vulnerabilities have been addressed, resulting in PowerDNS
Recursor 3.1.7.2.
Given the nature and magnitude of these vulnerabilities, ALL PowerDNS
RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No
versions of the PowerDNS Authoritative Server are affected.
PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been in
production for a week at some major sites already. No problems have been
reported. 3.1.7.2 does not include anything other than security updates.
The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as well
as cache poisoning, connecting your users to possibly malicious IP addresses.
These vulnerabilities were discovered by a third party that for now prefers
not to be named. PowerDNS is however very grateful for their help. More
details are available on:
http://doc.powerdns.com/powerdns-advisory-2010-01.html
http://doc.powerdns.com/powerdns-advisory-2010-02.html
Debian, FreeBSD, Gentoo and SuSE are processing the changed packages, and
will be releasing security updates shortly. Ubuntu does not provide security
updates for PowerDNS, so Ubuntu users must take immediate action and
download our packages.
RHEL4/5, CentOS packages are available (care of Kees Monshouwer) here:
http://www.monshouwer.eu/download/3th_party/pdns-recursor/
Updated packages for .deb based systems are available here:
http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_i386.deb
http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_amd64.deb
Updated packages for .rpm based systems are available here:
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpm
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm
Source code is available here:
http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2
Special 'upgrade option of last resort' (old systems)
-----------------------------------------------------
In addition, as a special service, we are also providing two precompiled
fully static Linux binaries as an 'upgrade option of last resort':
http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.amd64.static.executable
http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.i386.static.executable
These two binaries are suitable of our .deb or .rpm files somehow refuse to
load (which happens on RHEL version 3, for example).
Download the appropriate executable, rename to pdns_recursor, set the
executable bit (chmod a+x pdns_recursor), and 'mv' the executable over
/usr/sbin/pdns_recursor.
If you need any help in upgrading, please do not hesitate to contact us.
Kind regards,
Bert Hubert
Bert
Wednesday, January 6, 2010
Friday, December 25, 2009
Dit jaar wel studie- en afstudeerbegeleiding
A rare post in Dutch - if you know anyone in The Netherlands that really needs to graduate or otherwise finish their studies, this message is for them ;-)
Met trots presenteer ik de website van het bedrijf van mijn vrouw Mirjam: ditjaarwel.nl!
Na het nodige proefdraaien met de eerste klanten is het bedrijf nu 'ready for business'. Dus als je iemand kent die dringend af moet studeren, of anderszins over een hobbel in de studie geholpen moet worden, wijs ze dan vooral op Dit Jaar Wel.nl! Ook erg geschikt voor ouders die vinden dat het nu wel mooi geweest is met de studie van zoon of dochterlief.
PS: Leuk om te melden dat ik als 'officiele computernerd in huis' er niet in geslaagd was iets fatsoenlijks en betaalbaars te vinden om een website mee te maken. Mirjam kwam na een rondje googlen met Yola.com, wat precies is wat we zochten. Aanrader.
Met trots presenteer ik de website van het bedrijf van mijn vrouw Mirjam: ditjaarwel.nl!
Na het nodige proefdraaien met de eerste klanten is het bedrijf nu 'ready for business'. Dus als je iemand kent die dringend af moet studeren, of anderszins over een hobbel in de studie geholpen moet worden, wijs ze dan vooral op Dit Jaar Wel.nl! Ook erg geschikt voor ouders die vinden dat het nu wel mooi geweest is met de studie van zoon of dochterlief.
PS: Leuk om te melden dat ik als 'officiele computernerd in huis' er niet in geslaagd was iets fatsoenlijks en betaalbaars te vinden om een website mee te maken. Mirjam kwam na een rondje googlen met Yola.com, wat precies is wat we zochten. Aanrader.
Thursday, December 10, 2009
Addicted to the LHC
Over the past few weeks, the Large Hadron Collider (LHC), also known as the 'most puissant particle punisher that pounds the protons', has been starting up (again).
The LHC is housed at CERN, and consists of a 27km long tunnel that is so big it needs two countries to contain it, France and Switzerland.
It's goal in life is to smash protons and later lead ions together at stupendous energies.. to see what happens. I bet they have written a loftier description of their aims themselves, but this is what they do.
At a cost that is hard to calculate, but surely more than €10 billion, it is cheaper than propping up a small bank.
The scale of everything they do there is huge. The tunnel is lined with arrays of machines, each of which would be the the proud possession of any physics department in the world. And it all has to work to deliver the big goal: smashing particles together at hitherto unobtainable energies.
Both because of "typos" in newspapers and because of the excitement this machine generates in the nerd crowd, the Large Hadron Collider has also been called the Large Hardon Collider. And it deserves the name.
I'm going to stop gushing now, but it is a seriously impressive setup. I haven't even started about the computing grid that calculates what the collisions resulted in, and if new physics has been discovered.
So, getting back to the title of this post, why am I addicted? In all their 'web 2.0' wisdom (they invented 'web 1.0' over at CERN, btw), the LHC people have decided to be incredibly open. With a little effort, you can find up to the second statistics of all their activities, down to a minute by minute logbook of operations.
And for some reason or other, this makes the LHC like a reality series for me. There is even a form and a chat room to hang out and gossip!
So, to join the fun, head over to the (unofficial) LHC Portal which contains links to all the good stuff! The best page to start is "Page 1" (which can also be found on the LHC Portal).
Have fun!
The LHC is housed at CERN, and consists of a 27km long tunnel that is so big it needs two countries to contain it, France and Switzerland.
It's goal in life is to smash protons and later lead ions together at stupendous energies.. to see what happens. I bet they have written a loftier description of their aims themselves, but this is what they do.
At a cost that is hard to calculate, but surely more than €10 billion, it is cheaper than propping up a small bank.
The scale of everything they do there is huge. The tunnel is lined with arrays of machines, each of which would be the the proud possession of any physics department in the world. And it all has to work to deliver the big goal: smashing particles together at hitherto unobtainable energies.
Both because of "typos" in newspapers and because of the excitement this machine generates in the nerd crowd, the Large Hadron Collider has also been called the Large Hardon Collider. And it deserves the name.
I'm going to stop gushing now, but it is a seriously impressive setup. I haven't even started about the computing grid that calculates what the collisions resulted in, and if new physics has been discovered.
So, getting back to the title of this post, why am I addicted? In all their 'web 2.0' wisdom (they invented 'web 1.0' over at CERN, btw), the LHC people have decided to be incredibly open. With a little effort, you can find up to the second statistics of all their activities, down to a minute by minute logbook of operations.
And for some reason or other, this makes the LHC like a reality series for me. There is even a form and a chat room to hang out and gossip!
So, to join the fun, head over to the (unofficial) LHC Portal which contains links to all the good stuff! The best page to start is "Page 1" (which can also be found on the LHC Portal).
Have fun!
Wednesday, November 11, 2009
When DNS is cool and when it is not
Whenever massive query rates are desired for globally distributed data, with high redundancy and built in positive and negative caching, people think of DNS. Popular examples are of course our day to day use of the Domain Name System (which is a lot more than a protocol) to lookup IP addresses, but also include tremendous amounts of spam lookups (RBLs) to determine if an IP address is likely to be a source of spam.
In addition, "ENUM" has been designed to share reachability information for phone numbers over DNS, telling one for example over which SIP identity the owner of a phone number could be reached using VoIP. This needs many of the aforementioned features of DNS, like high query rates, redundancy and caching.
Periodically, people ponder storing other things in DNS, most often because they are attracted to the huge query rates, built in distribution, redundancy and caching. And indeed, these are things that make the DNS very attractive.
In addition, DNS passes more firewalls by default than almost any other protocol, because the network's resolver acts as a sanctioned proxy.
It turns out however that there are severe limits to what you can do within DNS while retaining the attractive bits.
High query rates
Even with a very limited investment, it is possible to build solutions based on DNS enabling one to ask and answer over a million queries per second. Building such functionality on top of a SQL database would be an order of magnitude more expensive (at least).
Among the reasons why DNS can support such tremendous speeds is its use of the connectionless UDP protocol, which means that a question fits in a single packet, as does the answer. A TCP/IP session goes through at least 6 packets to achieve the same thing.
Passing firewalls
Almost all network environments have DNS connectivity to the outside world, often via the network's resolvers. In addition, these resolvers typically have an undisturbed view of UDP port 53 to the outside world. However, they often do not have such unfettered access to TCP or ICMP.
This is important because UDP packets have severe constraints on their size, with 1500 being the maximum before stuff needs to happen. The stuff that needs to happen either entails sending fragments (which have a hard time passing firewalls), or moving to TCP (which is blocked far more often than UDP for DNS).
DNS has a lot of rules
DNS was originally a replacement for the (then) famous HOSTS.TXT file, which contained IP addresses for host names that people wanted to share with the internet. This file was lovingly maintained by hand, and periodically downloaded by everybody.
When this no longer proved to be sustainable, the DNS was created so everybody could administer their own names, and publish these in an automated fashion.
Look closely however, and the DNS shows its HOSTS.TXT roots. Even though each 'top level domain' can have its own set of servers, in the end fundamentally, the DNS assumes it is actually one uniform list of records ('HOSTS.TXT'). This means that if the root says the nameserver for everything ending on NL are X, Y and Z, that if you ask any of X, Y and Z what the namservers for NL are it *has* to answer X, Y and Z (it may add U, V and W to the answers though).
What it may NOT do is say 'oh, NL, I handed that over to servers A, B and C, ask them'. Because this would violate the 'HOSTS.TXT' view of the DNS, where everything in the root zone has to be identical to the stuff at the lower level.
DNS can only answer simple questions
DNS basically knows only one question 'Do you have information of type X about name Y?'. And as an answer, you'll get all the information about Y of type X that fits in the answer packet. There is no way to say 'give me all names Y that have type X', for example. Nor is there a way to ask for all names that start with 'www'.
You can't mirror the DNS
The DNS is a fully distributed system, and one that can only answer simple questions (see above). There is no reliable way to make a complete copy of the DNS. This means that in order to use it, one has to rely on working network connectivity, and also has to trust other people's systems.
Unlike, say, a SQL database, it is not possible to have a full copy that still works without network connectivity.
So - what do these limitations mean?
Summarising - we like DNS because it is really fast, easily distributed, well cached and passes firewalls easily. However, the above means that if we want to keep all these cool features:
But anytime you have simple questions, with small answers and you dare to rely on other people's servers, plus do not desire 'redelegation', DNS may be your best bet.
Some alternatives
Slightly more advanced than DNS is LDAP, which offers the possiblity of asking more complicated questions. Slightly *less* advanced than DNS is memcached, which does however share the very high performance and easy redundancy. It does not offer delegation though.
In addition, "ENUM" has been designed to share reachability information for phone numbers over DNS, telling one for example over which SIP identity the owner of a phone number could be reached using VoIP. This needs many of the aforementioned features of DNS, like high query rates, redundancy and caching.
Periodically, people ponder storing other things in DNS, most often because they are attracted to the huge query rates, built in distribution, redundancy and caching. And indeed, these are things that make the DNS very attractive.
In addition, DNS passes more firewalls by default than almost any other protocol, because the network's resolver acts as a sanctioned proxy.
It turns out however that there are severe limits to what you can do within DNS while retaining the attractive bits.
High query rates
Even with a very limited investment, it is possible to build solutions based on DNS enabling one to ask and answer over a million queries per second. Building such functionality on top of a SQL database would be an order of magnitude more expensive (at least).
Among the reasons why DNS can support such tremendous speeds is its use of the connectionless UDP protocol, which means that a question fits in a single packet, as does the answer. A TCP/IP session goes through at least 6 packets to achieve the same thing.
Passing firewalls
Almost all network environments have DNS connectivity to the outside world, often via the network's resolvers. In addition, these resolvers typically have an undisturbed view of UDP port 53 to the outside world. However, they often do not have such unfettered access to TCP or ICMP.
This is important because UDP packets have severe constraints on their size, with 1500 being the maximum before stuff needs to happen. The stuff that needs to happen either entails sending fragments (which have a hard time passing firewalls), or moving to TCP (which is blocked far more often than UDP for DNS).
DNS has a lot of rules
DNS was originally a replacement for the (then) famous HOSTS.TXT file, which contained IP addresses for host names that people wanted to share with the internet. This file was lovingly maintained by hand, and periodically downloaded by everybody.
When this no longer proved to be sustainable, the DNS was created so everybody could administer their own names, and publish these in an automated fashion.
Look closely however, and the DNS shows its HOSTS.TXT roots. Even though each 'top level domain' can have its own set of servers, in the end fundamentally, the DNS assumes it is actually one uniform list of records ('HOSTS.TXT'). This means that if the root says the nameserver for everything ending on NL are X, Y and Z, that if you ask any of X, Y and Z what the namservers for NL are it *has* to answer X, Y and Z (it may add U, V and W to the answers though).
What it may NOT do is say 'oh, NL, I handed that over to servers A, B and C, ask them'. Because this would violate the 'HOSTS.TXT' view of the DNS, where everything in the root zone has to be identical to the stuff at the lower level.
DNS can only answer simple questions
DNS basically knows only one question 'Do you have information of type X about name Y?'. And as an answer, you'll get all the information about Y of type X that fits in the answer packet. There is no way to say 'give me all names Y that have type X', for example. Nor is there a way to ask for all names that start with 'www'.
You can't mirror the DNS
The DNS is a fully distributed system, and one that can only answer simple questions (see above). There is no reliable way to make a complete copy of the DNS. This means that in order to use it, one has to rely on working network connectivity, and also has to trust other people's systems.
Unlike, say, a SQL database, it is not possible to have a full copy that still works without network connectivity.
So - what do these limitations mean?
Summarising - we like DNS because it is really fast, easily distributed, well cached and passes firewalls easily. However, the above means that if we want to keep all these cool features:
- Responses to DNS queries must be small. Large answers mean UDP can't be used, which in turn means a significant slowdown because TCP needs so many more packets. In addition, TCP has a far harder time passing firewalls.
Fundamentally, this means not storing photographs or other large things in DNS - We must only ask simple questions that have direct answers.
- Our questions and data distribution must fit the DNS rules.
This means we can't "redelegate". A practical problem that gets hit by this restriction is so called telephony number portability, where a phone number jumps outside of the hierarchy, and is suddenly served by a wholly different company. - We must accept that queries will leave our network, and that we can't have an 'offline copy'
But anytime you have simple questions, with small answers and you dare to rely on other people's servers, plus do not desire 'redelegation', DNS may be your best bet.
Some alternatives
Slightly more advanced than DNS is LDAP, which offers the possiblity of asking more complicated questions. Slightly *less* advanced than DNS is memcached, which does however share the very high performance and easy redundancy. It does not offer delegation though.
Sunday, November 8, 2009
xs.powerdns.com: PowerDNS Development & Community Server @ xs4all!
Hi everybody,
Over the past few months, the PowerDNS Wiki and Subversion servers had a hard time and were no longer able to keep up with the growing amounts of traffic. Since these servers also routed my personal email, I had little choice but move the flood of spam to gmail. But no more!
We acquired a lovely Dell PowerEdge R200, and found pioneering PowerDNS user XS4ALL willing to host it! This explains the xs4all logos on wiki.powerdns.com and svn.powerdns.com ;-)
XS4ALL is what I'd like to call an 'old school internet service provider' - which is quite literally true since they were (almost) the first here in The Netherlands. Racking up xs.powerdns.com went without a hitch. For some reason, whenever I have to rack up a server, it turns out the wrong rails have been agreed upon, or the power is wrong or too much, or the IP addresses have not been arranged.
But this time round, we were done in 5 minutes. When I discovered a few days later that no IPv6 was provisioned, this was fixed within an hour. On Sunday.
XS4ALL also was the 'launching customer' of the PowerDNS Recursor, funding the development process and field testing it.
So many thanks to them for hosting xs.powerdns.com!
Wednesday, September 23, 2009
PowerDNS competitor Nominum lauds its closed source credits!
This morning, I was unpleasantly surprised by an advertorial on ZDNET, where PowerDNS competitor Nominum stated that since they are closed source, their technology is inherently more secure. They also cleverly compared Open Source to malware. Nice.
In addition, Nominum stated they have not had any security problems, "unlike the freeware legacy DNS", but this simply is not true as can be seen on their own webpage (which will probably be 'cleaned up' shortly).
There are some true gems in the interview, cleverly titled "Why open-source DNS is 'internet's dirty little secret'".
Nominum used to be a part of the DNS community, interacting with the IETF in the standards setting process. It may be harder for them to credibly contribute anymore if this is their stance on open cooperation..
UPDATE: It is ironic to note that at the time of writing, one of the Nominum.com nameservers was actually running BIND ('freeware, not akin to malware'). In addition, both the webserver and the operating system for the Nominum webpages run on open source software (Apache, Linux).
In addition, Nominum stated they have not had any security problems, "unlike the freeware legacy DNS", but this simply is not true as can be seen on their own webpage (which will probably be 'cleaned up' shortly).
There are some true gems in the interview, cleverly titled "Why open-source DNS is 'internet's dirty little secret'".
Freeware legacy DNS is the internet's dirty little secret — and it's not even little, it's probably a big secret. Because if you think of all the places outside of where Nominum is today — whether it's the majority of enterprise accounts or some of the smaller ISPs — they all have essentially been running freeware up until now.Followed by:Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse.
Correct. So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems. So we've seen the majority of the world's top ISPs migrating away from freeware to a solution that is carrier-grade, commercial-grade and secure.And the real screamer:
Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.Way, way back when, Nominum employees successfully performed a denial of service attack on PowerDNS. I thought they had grown over this kind of behavior, but it appears they didn't.
Nominum used to be a part of the DNS community, interacting with the IETF in the standards setting process. It may be harder for them to credibly contribute anymore if this is their stance on open cooperation..
UPDATE: It is ironic to note that at the time of writing, one of the Nominum.com nameservers was actually running BIND ('freeware, not akin to malware'). In addition, both the webserver and the operating system for the Nominum webpages run on open source software (Apache, Linux).
Guus Hubert has been born!
Mirjam and I are really happy to report that our lovely son Guus Hubert was born on the 14th of September! Mother and son are doing really well.
Here is the official picture:
You can see that Maurits eyes his new brother with a keen interest!
Guus & family can be congratulated on guus@hubertnet.nl !
Here is the official picture:
You can see that Maurits eyes his new brother with a keen interest!
Guus & family can be congratulated on guus@hubertnet.nl !
Subscribe to:
Posts (Atom)
