 |
 baineschile2600 ways to livePremium
join:2008-05-10
Sterling Heights, MI | OpeNDNS The only way to go. | |
|
 | |
| | Rob_Premium
join:2008-07-16
Mary Esther, FL | Re: OpeNDNS there's also
4.2.2.2
4.2.2.3 which are level 3 hosted DNS sites. | |
|
| | |  jester121Premium
join:2003-08-09
Lake Zurich, IL
 ·voip.ms
| Re: OpeNDNS Level 3 mentioned in passing (about the time the details on the cache poisoning proof of concept came out) that they would eventually be shutting off public access to their beloved and ubiquitous 4.2.2.x DNS servers.
That will be a very interesting day in the IT field, when we learn who's sloppy and who's not. | |
|
| | | | | | Re: OpeNDNS Is it considered sloppy to put clients on OpenDNS rather than their ISP's dns? I mean OpenDNS has so many other nice options as far as filtering goes as well and the ads are not a big turnoff.
said by jester121:Level 3 mentioned in passing (about the time the details on the cache poisoning proof of concept came out) that they would eventually be shutting off public access to their beloved and ubiquitous 4.2.2.x DNS servers. That will be a very interesting day in the IT field, when we learn who's sloppy and who's not. | |
|
| | | | | jester121Premium
join:2003-08-09
Lake Zurich, IL Reviews:
·voip.ms
| Re: OpeNDNS No clue about that, we run our own internal DNS. The thing is that Level 3's 4.2.2.x servers aren't "officially" open to the public like OpenDNS ones are, they've just been around forever and easy to remember. I use them occasionally for troubleshooting or if I need to go to an ISP website to fix someone's computer... | |
|
| | | | | |
2 edits | Re: OpeNDNS said by jester121:No clue about that, we run our own internal DNS. The thing is that Level 3's 4.2.2.x servers aren't "officially" open to the public like OpenDNS ones are, they've just been around forever and easy to remember. I use them occasionally for troubleshooting or if I need to go to an ISP website to fix someone's computer... They are the servers that are used for Verizon Fios Setup too! I wonder if they have some sort of agreement with them. Simply typing DNS in the help section of Verizon.net did not yield any results except for a dial up dns server. | |
|
| | | | | | | |
| | | | | | | |
1 edit | Re: OpeNDNS ask... well I suppose I could have looked it up as well.
Why would level3 have a hold on IP blocks from verizon? You would think that verizon would have many of its own blocks registered.
»www.isp-planet.com/news/2002/lvl···129.html
Level3 bought genuity.com which was the networking GTE I believe. Verizon bought GTE.
Nevermind its a mess that does not benefit me knowing in anyway. I will just assume for the foreseeable future that the Level 3 servers will work with Verizon FIOS | |
|
| | | | | | | | | |
| | | | | | | | | | | Re: OpeNDNS I believe the above lends some information on the intermixing...
said by NetFixer:said by kieranmullen:Why would level3 have a hold on IP blocks from verizon? You would think that verizon would have many of its own blocks registered. Why would Microsoft need to use Akamai Technologies servers and IP adresses? The simple answer is that corporations sub contract and sub lease services and properties from other corporations all the time. | |
|
| | | | | | | | | |
| | | | | | | |  kontosxyzzy
join:2001-10-04
West Henrietta, NY | said by kieranmullen:nslookup 4.2.2.1
Server: dcs-gw1.dcs-net
Address: 192.168.10.1
Name: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
nslookup 4.2.2.2
Server: dcs-gw1.dcs-net
Address: 192.168.10.1
Name: vnsc-bak.sys.gtei.net
Address: 4.2.2.2
nslookup 4.2.2.3
Server: dcs-gw1.dcs-net
Address: 192.168.10.1
Name: vnsc-lc.sys.gtei.net
Address: 4.2.2.3
I suspect that that is a result of sloppy reverse DNS management on Level3's part.
Verizon (gtei.net) doesn't seep to agree that those hostnames are theirs:
kontos:~$ host vnsc-pri.sys.gtei.net
vnsc-pri.sys.gtei.net does not exist, try again
kontos:~$ host vnsc-bak.sys.gtei.net
vnsc-bak.sys.gtei.net does not exist, try again
kontos:~$ host vnsc-lc.sys.gtei.net
vnsc-lc.sys.gtei.net does not exist, try again
and the servers appear to indicate that they are managed by Level3:
kontos:~$ dig @4.2.2.1 ch txt version.bind
; <<>> DiG 9.3.4-P1.1 <<>> @4.2.2.1 ch txt version.bind
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38023
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "If you have a legitimate reason for requesting this info, please contact hostmaster@Level3.net"
;; Query time: 6 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Tue Nov 11 15:13:02 2008
;; MSG SIZE rcvd: 137
| |
|
| | | | | | | | | | I have 4.2.2.4-5 as my DNS, but when I go to »entropy.dns-oarc.net/test/ it tells me my server names are:
1. 209.244.5.159 (ics2.Atlanta1.Level3.net)
2. 209.244.7.132 (unknown.Level3.net)
No gtei there. As I understand it, those 4.2.2.x addresses aren't actually server addresses, but rather, requests to those addresses are routed to the nearest available Level3.net DNS servers. | |
|
| | | |  backfeedis giving feedback
join:2002-12-16
Peru, IN
 ·Comcast
| I am using Open DNS now on my networks, I have used Level 3's in a pinch, but I always thought that it was wrong to use them as a standard. They do work good, but I am really surprised that they have left them open to the public for so long...
--
There is 10 types of people. Those whom can read Binary and those who cannot. | |
|
| | | | | | said by jester121:That will be a very interesting day in the IT field, when we learn who's sloppy and who's not. Or who can remember their ISPs DNS servers. 4.2.2.2 was such a great server because it was so easy to use during an initial setup when you didn't have easy access to your ISPs DNS addresses or just plain forgot the DNS server address.
--
---
Drilling for more oil is akin to giving a methhead the keys to the meth lab. | |
|
| | | | |  NetFixerFreedom is NOT freePremium
join:2004-06-24
The 'Boro
·Vonage
 ·Cingular Wireless
·Comcast
 ·AT&T Southeast
1 edit | Re: OpeNDNS said by NetAdmin1:said by jester121:That will be a very interesting day in the IT field, when we learn who's sloppy and who's not. Or who can remember their ISPs DNS servers. 4.2.2.2 was such a great server because it was so easy to use during an initial setup when you didn't have easy access to your ISPs DNS addresses or just plain forgot the DNS server address. I think the "interesting day" and "sloppy" references are about the unknown thousands of PCs currently using the 4.2.2.x DNS servers because some tech did a quick fix 5 years ago and now nobody even remembers that it had been done.
The downtime and ISP and IT department headaches that will result on the day those DNS servers become restricted to authorized users could rival the problems caused by Blaster and Welchia.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers. | |
|
| |  jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | said by NetFixer:OpenDNS is certainly ONE solution, but it is definitely NOT the ONLY solution.  In fact, the DNS servers used by your ISP (Comcast) are also immune to the Kaminsky DNS vulnerability referred to in the article. That is correct.
Jason
--
JL
Comcast | |
|
| | baineschile2600 ways to livePremium
join:2008-05-10
Sterling Heights, MI | Obviously there are plenty of alternatives, most which are safe. I just saw such an increase in page loading and java when i switched to OPEN DNS | |
|
| | 1 In 10 DNS Servers Vulnerable... I wonder if 1 in 10 Internet users know what this means?  | |
|
|  knightmbEverybody Lies
join:2003-12-01
Franklin, TN | Re: 1 In 10 DNS Servers Vulnerable... said by AnonNane :I wonder if 1 in 10 Internet users know what this means? Good point. 
--
Fight NebuAD and the like:
Click Here to pollute their data | |
|
| | Drinking Milk Leads to Heroin Addiction, Too! I stronly suspect that the over-simplified definition of "vulnerable" is leading to inflated figures to one degree or another.
I run my own DNS, AUTH for the handful of names I own, and purposely run it open/recursive. Why? I often need DNS access for troubleshooting purposes, for situations where the DNS servers a client is supposed to use can't be foundor determimned, and a couple others.
My DNS isn't vulnerable, however. Why? Along with DNS, I also run email, FTP,SSH,HTTP.and a few other services. I monitor them all for single-dight thresholds of failed logins, "404"s, and a dozen or so DNS lookups, that originate from the same /24 network. When "hit", a text message is sent to my cellphone alerting me about the door that's about to be slammed shut.
I'd love to see someone grab the Tarpit code from Iptables, and package it into a command where I can send an abusive connection to "Pico and Sepulveda"...
-NK
| |
|
| kontosxyzzy
join:2001-10-04
West Henrietta, NY
1 edit | Re: Drinking Milk Leads to Heroin Addiction, Too! said by DOStradamus:My DNS isn't vulnerable, however. Why? Along with DNS, I also run email, FTP,SSH,HTTP.and a few other services. I monitor them all for single-dight thresholds of failed logins, "404"s, and a dozen or so DNS lookups, that originate from the same /24 network. When "hit", a text message is sent to my cellphone alerting me about the door that's about to be slammed shut. It is not the queries that will poison your cache, it's the answers. A well designed attack will get a trusted user to generate the initial queries (maybe via a webpage with a bunch of IMG SRC="" tags). | |
|
|
|
