From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 7D84A138010 for ; Sat, 30 Mar 2013 14:53:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3520BE0896; Sat, 30 Mar 2013 14:53:32 +0000 (UTC) Received: from mail.bbsyd.dk (mail.bbsyd.dk [89.184.128.195]) by pigeon.gentoo.org (Postfix) with ESMTP id B8970E087C for ; Sat, 30 Mar 2013 14:53:30 +0000 (UTC) Received: from Marcher (zabool.dk [46.32.53.8]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.bbsyd.dk (Postfix) with ESMTP id F0EE93B855D for ; Sat, 30 Mar 2013 15:53:29 +0100 (CET) Date: Sat, 30 Mar 2013 15:53:29 +0100 From: Rene Rasmussen To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack Message-ID: <20130330155329.5fc7aa9b@Marcher> In-Reply-To: <9E829B28-D041-488B-BD22-3E25E6E51A35@smash-net.org> References: <51540497.5020008@smash-net.org> <5154A1BE.7010308@gmail.com> <201303290049.23399.peter@humphrey.ukfsn.org> <9E829B28-D041-488B-BD22-3E25E6E51A35@smash-net.org> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; x86_64-unknown-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: f04409dd-e94e-4daf-b97d-eec78956216a X-Archives-Hash: 40423f2f76ad25560b00450254fca697 On Sat, 30 Mar 2013 13:06:16 +0100 Norman Rie=C3=9F wrote: >=20 > Am 29.03.2013 um 23:34 schrieb Paul Hartman > : >=20 > > On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey > > wrote: > >> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: > >>=20 > >>> In my case, my ISP's DNS servers are slow (several seconds to > >>> reply), fail randomly when they should resolve, return an IP > >>> (which goes to their ad-laden "helper" website if you are using a > >>> web browser) when they should instead return nxdomain, and they > >>> have openly admitted to selling customer DNS lookup history to > >>> marketers for targeted advertising. > >>=20 > >>=20 > >>=20 > >> That is just evil. Have you no alternative to this ISP? > >=20 > > Not really. > >=20 > > I have a 100 megabit connection through the cable company; my only > > wired alternative is DSL (1.5 mbit for almost half the price I'm > > paying for 100mbit). Cellular or satellite are not viable options > > for me because of comparatively poor value, latency and miniscule > > data usage caps. >=20 > > [=E2=80=A6] > >=20 > > It is no longer legal for local governments to award monopolies, but > > the damage has been done. What we have is essentially the cable TV > > infrastructure that was laid out during the decade when local cable > > monopolies were legal, and the cost of entry for a new player into > > the market now is so high that nobody ever bothers. End result for > > consumers is a lack of choice. There are some places where > > competition exists, but those places are pretty rare, in my > > experience. > >=20 > > There are some other possible alternatives to cable internet and > > DSL, such as municipal wifi, mesh networks, powerline and FTTx, but > > none are available where I live. > >=20 > > The service I receive from the cable company here is actually > > excellent, with the exception of the aforementioned DNS woes. > >=20 > > Pretty much every major ISP in the US does DNS-hijacking and other > > shenanigans, so there's no avoiding the evilness. I believe the > > board members of major cable and telecom companies would sell their > > own mothers into slavery if it meant a rise in share prices or a > > larger bonus at the end of the year... > >=20 >=20 > That is pretty much the same as what happened in Germany. The > telephone network was build by the german postal service in the past > and was run by the government. As we all know everything works better > and cheaper when things are privatized, so the Deutsche Telekom was > created and with it a semi monopoly over night. Regions not dense > enough are not part of the developing plans of any of the companies. > So if you are lucky like me, you are stuck with 16mbit DSL provided > by one company rented by an other company. If people start to build > their own network or a competitor reaches for a specific > underdeveloped region, this region gets an upgrade like to DSL 3 Mbit > or something like that, so the competitors draw of. If you are really > lucky you live in a region which is really dense or a cable company > provides you with internet, so you get 100mbit. But this is only a > fraction of all people. If the government is confronted with this > they say, the market will regulate that, which it does not. And if > voices get too loud, the tell the companies to develop the > underdeveloped regions, they shake hands on TV and nothing happens. > And as Paul said, most ISP do DNS-hijacking and the like, which > breaks things in incredible unexpected ways. >=20 > So when i wrote this post to the mailing list and got answers like > "unnecessary crap" and "why make it available for everyone" i thougt, > this to be answers of some weirdos which should be ignored. Here you > do not trust your ISP=E2=80=A6 you use the ISP which sucks less or the on= ly > one that gives you any internet at all. If you reach a certain level > of knowledge, you change your DNS settings to free DNS servers and if > you run a resolver you do it for the other poor souls as well. There > are lists of unfiltered DNS Servers > (http://www.ungefiltert-surfen.de/nameserver/de.html), which are > checked regularly if they provide unfiltered answers an the like. And > there are howtos for the average user on how to change the dns > settings and to avoid your isp=C2=B4s dns servers. >=20 > Regards > Norman >=20 There is also the possibility to use opendns.com I've been using them for years, and have not had any trouble. I started using them when my ISP decided to block some sites. And their standard service is free :) Best regards, Rene