Overclockers Australia Forums
OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Networking, Telephony & Internet

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 4th May 2010, 5:38 PM   #1
mike-s Thread Starter
Member
 
mike-s's Avatar
 
Join Date: Dec 2003
Location: Sydney, Australia
Posts: 1,850
Default Be alert but not alarmed, DNSSEC rollout completes 6am tomorrow!

original article here

For those who can't be arsed reading the article (tl-dr if you will), the way DNS works on the internet is a-changing and your old router or firewall may not be able to take the change in behaviour.

This change isn't likely to affect residential users as it's likely to be filtered/made transparent by your isp. But for those of us in corporate-world DNS is changing. DNSSEC rollout is nearing completion and as of tomorrow all root dns servers will give out digital signatures with every DNS request. For some old devices (or the networks behind them) the immediate effect is that DNS might magically stop as the reply size will increase from a maximum of 512 bytes to a total of 2k. The reason behind this is that originally it was assumed that the reply would never need to go above 512 bytes, so a lot of equipment automatically drops dns response packets that exceed that size.

Tomorrow may not affect you whatsoever, or it may be the day you realise you and your network are both up shit creek, you have been warned.
__________________
Successfull trades: RakOon, drfbro, mR_CaESaR, Spyfox
If I've got crap for sale on ebay you like, click here.
Old hardware giveaway thread here.
Sony Vaio Club Member #21
mike-s is offline   Reply With Quote

Join OCAU to remove this ad!
Old 4th May 2010, 6:23 PM   #2
cs-cam
Member
 
cs-cam's Avatar
 
Join Date: Oct 2007
Location: Brisbane, QLD
Posts: 740
Default

Quote:
Originally Posted by mike-s View Post
The reason behind this is that originally it was assumed that the reply would never need to go above 512 bytes, so a lot of equipment automatically drops dns response packets that exceed that size.
The reason is DNS currently used UDP for transport however with responses larger than 512 bytes (as of tomorrow, all of them) it falls back to TCP. If your firewall is only configured to allow UDP requests on port 53 then you're going to have problems. Anything else and you're fine.
cs-cam is offline   Reply With Quote
Old 4th May 2010, 8:34 PM   #3
evilasdeath
Member
 
Join Date: Jul 2004
Posts: 3,629
Default

Changes will happen between 17:00 > 19:00 UTC

17:00:00 Wednesday May 5, 2010 in UTC converts to
03:00:00 Thursday May 6, 2010 in GMT+10

19:00:00 Wednesday May 5, 2010 in UTC converts to
05:00:00 Thursday May 6, 2010 in GMT+10

Thursdays the day in Australia

I think it could be an awesome start to Thursday more so than Wednesday if shit hits the fan.
evilasdeath is offline   Reply With Quote
Old 4th May 2010, 9:44 PM   #4
caironet16
Member
 
Join Date: Mar 2002
Posts: 233
Default

http://www.southparkstudios.com/clips/166182



But srsly, if this happens for real I will be super bored.
caironet16 is offline   Reply With Quote
Old 5th May 2010, 7:03 AM   #5
mike-s Thread Starter
Member
 
mike-s's Avatar
 
Join Date: Dec 2003
Location: Sydney, Australia
Posts: 1,850
Default

Quote:
Originally Posted by cs-cam
The reason is DNS currently used UDP for transport however with responses larger than 512 bytes (as of tomorrow, all of them) it falls back to TCP. If your firewall is only configured to allow UDP requests on port 53 then you're going to have problems. Anything else and you're fine.
I didn't realise there would be a whole fallback to tcp, you learn something new every day. Some people are going to be a whole new level of screwed,

Quote:
Originally Posted by evilasdeath
Thursdays the day in Australia

I think it could be an awesome start to Thursday more so than Wednesday if shit hits the fan.
I'll blame my boss, he initially mentioned this as a problem that is going to happen today and i took his word on that *facepalm*
Quote:
Originally Posted by Doc-of-FC;
muahahaha, i dare you to connect to my open wifi network called internet... no im not running dnsspoof, no im not running sslstrip and no im not logging my network to pcap files
Cruel yet malicious, i kinda like it!
__________________
Successfull trades: RakOon, drfbro, mR_CaESaR, Spyfox
If I've got crap for sale on ebay you like, click here.
Old hardware giveaway thread here.
Sony Vaio Club Member #21
mike-s is offline   Reply With Quote
Old 5th May 2010, 8:34 AM   #6
Falkor
Member
 
Falkor's Avatar
 
Join Date: Jun 2001
Location: Sydney
Posts: 3,348
Default

So how do we properly prepare for this then?

Is there any info anywhere?

I've been looking around, but am probably looking in the wrong places
__________________
Save the whales, Collect the whole set! .:|:. Now faith is being sure of what we hope for and certain of what we do not see - Hebrews 11:1
Falkor is online now   Reply With Quote
Old 5th May 2010, 9:31 AM   #7
caironet16
Member
 
Join Date: Mar 2002
Posts: 233
Default

Quote:
Originally Posted by Falkor View Post
So how do we properly prepare for this then?

Is there any info anywhere?

I've been looking around, but am probably looking in the wrong places
All you can do is hope for the best. Hopefully everything just works but judging by the sheer vastness of the internet there is bound to be problems imo.

For instance if someone was waiting to launch a DDoS attack on the root DNS servers, they would probably wait until some of them go down for the upgrade and then target the remaining ones.

Apart from that the odd DNS server will probably fall over.

Maybe have a list of backup IP's ready just incase.
caironet16 is offline   Reply With Quote
Old 5th May 2010, 10:20 AM   #8
Falkor
Member
 
Falkor's Avatar
 
Join Date: Jun 2001
Location: Sydney
Posts: 3,348
Default

Ok Well. For anyone interested. We run Cisco ASA's and have an MS network so we have MS DNS Servers.

By default on the ASA's its set to a max DNS Packet size of 512 bytes. (Well mine were)
I changed there here:

policy-map type inspect dns
parameters
message-length maximum 2048

And our MS DNS Servers weren't enabled for EDNS, which is required for >512 Bytes. So I followed the instructions here to do that:
http://technet.microsoft.com/en-us/l...30(WS.10).aspx

I found the test tool in the ITNews article helpful
__________________
Save the whales, Collect the whole set! .:|:. Now faith is being sure of what we hope for and certain of what we do not see - Hebrews 11:1
Falkor is online now   Reply With Quote
Old 5th May 2010, 10:36 AM   #9
evilasdeath
Member
 
Join Date: Jul 2004
Posts: 3,629
Default

Well i finally found some reading

http://www.root-dnssec.org/2010/05/03/status-update/

the 5th of may is just when J root starts handing out DURZ, every other name server has already been doing this for ages with no ill affects.
evilasdeath is offline   Reply With Quote
Old 5th May 2010, 3:49 PM   #10
mike-s Thread Starter
Member
 
mike-s's Avatar
 
Join Date: Dec 2003
Location: Sydney, Australia
Posts: 1,850
Default

The main reason this whole stink was being kicked up is that the last server that you could "fall back" to if the others didn't provide a satisfactory response for your system is now being upgraded to DNSSEC. Which means if you have network gear that is not compatible with the new format and some upstream equipment isn't providing a reverse translation for you, you're in the shit.
__________________
Successfull trades: RakOon, drfbro, mR_CaESaR, Spyfox
If I've got crap for sale on ebay you like, click here.
Old hardware giveaway thread here.
Sony Vaio Club Member #21

Last edited by mike-s; 5th May 2010 at 4:51 PM. Reason: grammar
mike-s is offline   Reply With Quote
Old 5th May 2010, 4:09 PM   #11
Iceman
Member
 
Iceman's Avatar
 
Join Date: Jun 2001
Location: Brisbane (nth), Australia
Posts: 6,484
Default

I'd really like a test to confirm my server 2003 dns and firewall can handle this.. none of the ones I've found are particularly conclusive.
__________________
_,`,_,`,_,`,_

WTB: Cisco 1801-M PM me
Please rehash my posts and pass them off as your own ideas! Triple points for doing it in the same page of the thread. Plagiarism is the sincerest form of copyright infringement.
Iceman is online now   Reply With Quote
Old 6th May 2010, 8:24 AM   #12
Falkor
Member
 
Falkor's Avatar
 
Join Date: Jun 2001
Location: Sydney
Posts: 3,348
Default

Well the world didn't end, so I think we are ok!
__________________
Save the whales, Collect the whole set! .:|:. Now faith is being sure of what we hope for and certain of what we do not see - Hebrews 11:1
Falkor is online now   Reply With Quote
Old 6th May 2010, 8:55 AM   #13
gords
Thread Killer
 
gords's Avatar
 
Join Date: Aug 2001
Location: Sydney, Australia
Posts: 6,369
Default

It might take some time to see the results of the changes due to cached DNS results though.
__________________
"Grace is God giving us what we do not deserve and mercy is God not giving us what we do deserve."

"The beauty of grace is that it makes life not fair." - Relient K, Be My Escape

"God shows his love for us in that while we were still sinners, Christ died for us." Romans 5:8
gords is offline   Reply With Quote
Old 6th May 2010, 1:51 PM   #14
darth_wolf
Member
 
Join Date: Jul 2007
Posts: 1,648
Default

Next g network died in QLD around about 5am didnt it?

could it be DNS related?
darth_wolf is offline   Reply With Quote
Old 6th May 2010, 2:16 PM   #15
caironet16
Member
 
Join Date: Mar 2002
Posts: 233
Default

Quote:
Originally Posted by darth_wolf View Post
Next g network died in QLD around about 5am didnt it?

could it be DNS related?
Quite possible. AAPT seems fine I'm on the 24/7 Unlimited plan, working great.
caironet16 is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 8:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd. -
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Internode!