Hashemian Blog
Web Tools, Financial Markets, Technology
Thursday, August 28, 2008
DNS Vulnerability
While programming is my main focus at my company, one of my side jobs at work is networking. I have no complaints as I'm curious and interested in the inner workings of computer networks. Our IT department handles most of the networking tasks, but I usually find myself getting involved in setting up connectivity in the company. Whether it's a firewall, a router, a reverse proxy, or a DNS server, I find the networking field too fascinating to ignore.
That's why when the latest DNS vulnerability, discovered by Dan Kaminsky, came to light in April 2008, I began investigating our DNS servers to determine the risk factors. Dan's site contains a simple tool to assess the risk and it identified all of our caching DNS servers as vulnerable. A patch from Microsoft took care of our Windows-based DNS servers, but there was also a Fedora server in the mix running an old version of BIND that needed attention. Patching that server would have required upgrading to a newer version of Fedora.
I knew I could buy some time using the safety-in-numbers logic, but today I finally decided to tackle that server and plug the hole. My intention was to install the newest version of Fedora (version 9) on a new hardware and then add a patched version of BIND on top. BIND is a great name server product but it has a large footprint that seems like an overkill as a caching server. There are several other free DNS products out there so I began to look for an alternative.
My search eventually led me to PowerDNS (PDNS) and I decided to give that product a try. After installing Fedora 9 on the server, I downloaded the latest RPM of PNDS and promptly installed it on the server. PDNS comes in two flavors. The authoritative version and the caching version, known as Recursor which is the one I was interested in. The install was a breeze and the configuration was as easy as importing some of the data from the old BIND server and making some quick edits to the recursor.conf file. A server restart to make sure everything is in order, and I had the new caching server up and running, resolving names.
PDNS has been free of the DNS cache poisoning vulnerability for a few years now, and Dan's site confirmed that the new server was indeed running at much safer levels.
There is little doubt that the bad guys are hard at work to poison as many DNS servers as they can get their hands on. If your unpatched servers haven't been targeted yet, it's only a matter of time before they are. Whatever method or product you use to avert this risk, the sooner you do it, the better. As a quick alternative, you can use one of several free and already safe services like the one offered by OpenDNS.com as direct name servers or as forwarders on your caching servers.
dns,dns vulnerability,dns hack,fedora,bind,powerdns,opendns,networks,namedLabels: computers, hackers, networks < DNS Vulnerability>
// posted by rh
Monday, December 24, 2007
ARP, arping, and MAC
Sometimes one could become so comfortable with something, that one becomes blind to the underlying technology. Such was the case with me a few days ago when I was trying to delete an IP address from one Linux node on the network and assign it to another.
The problem was that the new node would remain inaccessible on the network. It would eventually show up, but that didn't make troubleshooting easy. We're all so used to plugging a node into a switch and have it up and running that we forget that underneath the IP address, there's the MAC address with the DNS-like ARP tables running on switches and nodes.
Apparently the "service network reload" command on the Linux box wasn't making any ARP announcements on the network, leaving the ARP tables (evidently with long aging timers) with old mappings. And that explains why the new Linux node would remain inaccessible for some time.
I'm not sure if the network subsystem in Linux is supposed to advertise a new IP to MAC (possibly using a an ARP request). Strangely, even a reboot wouldn't fix this problem. It is possible that the firewall (iptables) rules were preventing this. Whatever the case, a manual ARP request using the arping command seemed to have resolved this. Here's the syntax (with a phony IP):arping -U -I eth0 192.168.100.100 arping is a useful Linux tool similar to the ping command, but operating at the MAC level. I suppose there's a good chance that even pinging a node on the local network from the Linux box would have done the trick and updated the ARP tables. Anyways, if you find yourself in a similar situation, check the ARP tables on your switches. They're so easy to forget.
linux,arp,mac address,ethernet,ip address,network switchLabels: computers, networks < ARP, arping, and MAC>
// posted by rh
Saturday, February 24, 2007
Company Meetings
I hate company meetings. I understand that sometimes they are necessary evils and on occasion they are useful, but generally I've found them to be a waste of time. That was my feeling when I worked at one of the largest companies in the world and today, working for a small company, I am just a contemptuous towards meetings.
It's not that I have disrespect for my colleagues or my superiors. One problem is that I have a short attention span and if I don’t feel a vibe within five minutes into the meeting, my mind starts to wonder. One time I was berated by my boss at that large company for doodling during a meeting. I told him that it actually helped me concentrate. When he pushed, I stopped the Picasso artwork and transferred the work to my mind. My thoughts drifted to a programming project I was working on with occasional excursions to food, women, work out, and even old Star Trek episodes.
I've had some good meetings too where I was laser focused. Those were generally held with my counterparts like programmers, system admins, and network engineers. You know, the types of people that I can actually learn something from and there's an educational and productive discourse.
This is not to say that I don’t feel guilty about my attitude. I have often viewed other people in meetings with envy and wonder. How could they possibly hold their focus during these boring meetings? But then along the way something wonderful happened that finally helped to relieve my guilt, at least partially. It was a validation of sorts to observe that most people in meetings weren't as focused as they appeared to be.
The next time you're in your company's meeting take a look around at the participants. You will hear mouse clicks and keyboard taps on open laptops and slumped heads focused on Blackberries and Treos conveniently hidden under the mahogany table being frantically scrolled and thumbed, a phenomenon known as "chipmunking". Yeah sure, these guys are really paying attention. Even the argument that they're working during the meeting (multi-tasking) is a weak one at best. Why bother to come to a meeting, when there's urgent work to be done? Wouldn’t they be more productive at their desks where they don't have to fake interest in the topic being discussed?
Certainly I am not the only one complaining about this. Here's an article in a recent issue of CIO magazine I stumbled upon bemoaning the same issue. Then again, I'm not really complaining. In fact, I am hoping that recognizing the dubious value of frequent meetings, companies cut back on the frivolous gatherings, leaving only the necessary and productive ones. It would also help if aviation rules of take-off were fully enforced, requiring all participants to leave their devices in the off position during the meeting.
meetings,blackberry,palm,treo,laptops,notebooksLabels: business, computers < Company Meetings>
// posted by rh
Monday, January 29, 2007
Bypassing Dell for HP
In a not too distant past Dell was king of the hill, at least when it came to computer hardware. I still remember their old one page ads on the backs of PC magazines taunting Compaq and bragging about their cheaper prices. Dell was unstoppable and its stock was a reflection of how rapidly this company grew to become the favorite destination of many PC buyers. Some might even believe that the decline of Gateway came as a result of Dell's efficiency. There were also a number of years that Dell and Compaq (later acquired by HP) were locked in heated battle of who has shipped the most PC's. Dell is still a powerhouse, but HP wasn't about to lay down its arms and surrender.
Because I am programmer somehow people believe I can give good advice on buying a PC or laptop. I used to keep things simple and tell them to shop Dell. But the other day when my wife asked me to help her choose a laptop, I just flat didn’t even mention Dell. I checked out HP, Toshiba, and IBM (Lenovo) but didn't even bother with Dell. Then I wondered why.
Dell has been getting quite a string of bad press lately. Perhaps the worst was the Laptop battery fiasco. But the bad news also involved their poor customer service. Bad press leads to a bad image and it's hard to battle back. Redemption takes a lot of work and patience. But for me Dell's tarnished image goes beyond the bad press. It's based on first-hand experience I've had with their servers where I work. I have had a number of problems with their servers I manage for my company. We have been plagued with bad parts and faulty firmware for quite some time. Dell's customer service has been relatively responsive, but dealing with so many headaches has left a bad taste in my mouth and while their consumer products might not suffer from the same problems, the Dell logo has lost a lot of its appeal for me.
So we finally settled for an HP laptop. Of course when I tried to place the order online, the order wouldn’t go through and I was forced to call the HP customer service to finish the transaction. Calling customer service meant being transferred to an Indian call center. These guys aim to please, but heavy accents abound and a quick call turns into a long conversation punctuated by a number of "what?" and "Can you repeat that?" This is by no means exclusive to HP. That's an economic reality firmly proven to me when I called my calling card company a few hours later to report a problem. But that's a different topic. We'll see how the HP laptop, preloaded with Windows Vista, works out when it arrives in a few days.
dell,hp,laptop,call center,customer service,ibm,toshiba,servers,pcLabels: computers, customer service < Bypassing Dell for HP>
// posted by rh
|
Links
Technorati Profile
TMCnet.com
ARCHIVES
09/01/2003 - 10/01/200303/01/2004 - 04/01/200404/01/2004 - 05/01/200405/01/2004 - 06/01/200406/01/2004 - 07/01/200407/01/2004 - 08/01/200408/01/2004 - 09/01/200409/01/2004 - 10/01/200410/01/2004 - 11/01/200411/01/2004 - 12/01/200412/01/2004 - 01/01/200501/01/2005 - 02/01/200502/01/2005 - 03/01/200503/01/2005 - 04/01/200504/01/2005 - 05/01/200505/01/2005 - 06/01/200506/01/2005 - 07/01/200507/01/2005 - 08/01/200508/01/2005 - 09/01/200509/01/2005 - 10/01/200510/01/2005 - 11/01/200511/01/2005 - 12/01/200512/01/2005 - 01/01/200601/01/2006 - 02/01/200602/01/2006 - 03/01/200603/01/2006 - 04/01/200604/01/2006 - 05/01/200605/01/2006 - 06/01/200606/01/2006 - 07/01/200607/01/2006 - 08/01/200608/01/2006 - 09/01/200609/01/2006 - 10/01/200610/01/2006 - 11/01/200611/01/2006 - 12/01/200612/01/2006 - 01/01/200701/01/2007 - 02/01/200702/01/2007 - 03/01/200703/01/2007 - 04/01/200704/01/2007 - 05/01/200705/01/2007 - 06/01/200706/01/2007 - 07/01/200707/01/2007 - 08/01/200708/01/2007 - 09/01/200709/01/2007 - 10/01/200710/01/2007 - 11/01/200711/01/2007 - 12/01/200712/01/2007 - 01/01/200801/01/2008 - 02/01/200802/01/2008 - 03/01/200803/01/2008 - 04/01/200804/01/2008 - 05/01/200805/01/2008 - 06/01/200806/01/2008 - 07/01/200807/01/2008 - 08/01/200808/01/2008 - 09/01/200809/01/2008 - 10/01/200810/01/2008 - 11/01/2008
|
