From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 3CBC3138010 for ; Fri, 29 Mar 2013 23:09:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 99638E0AE3; Fri, 29 Mar 2013 23:09:20 +0000 (UTC) Received: from mail-qe0-f54.google.com (mail-qe0-f54.google.com [209.85.128.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3ECB3E089B for ; Fri, 29 Mar 2013 23:09:19 +0000 (UTC) Received: by mail-qe0-f54.google.com with SMTP id i11so452022qej.41 for ; Fri, 29 Mar 2013 16:09:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; bh=Mbc5XNvr7Q7mjHt98vfk5xM09RNAfM/aWCDIr7zJ+SQ=; b=cffItBsYPO2A46fGcMOL/mQtOlH10t6MxUI1vZtErtfyJMGEKYMRJt86dp/0DB0xqv w6oGVllQJyEPFrEl54cvAlgxNGSkbnkF3mXdKR6i7sXLib8C2zfR8wY7us/ritDMKxqb cpFPB6MzlATaJ+Vck843LqfONFwYINqYgt/cPmMPp1Rv68cFp3+Dosfxe+mB/niuBjzQ 8XaYqu5OSbYT1gW1Xzb8txIO6FSswUprg1TxmJakLrrdGdpoIw+mdFMMovozEg8000Oy f9iQcf+qT/ngZGl4hMq+GCyVP/RlQLAtzuAbQxJz+9G/MHFmP4UgnVS4+DregUOQAPgh jmdg== X-Received: by 10.224.63.76 with SMTP id a12mr5833314qai.16.1364598558436; Fri, 29 Mar 2013 16:09:18 -0700 (PDT) Received: from ?IPv6:2001:5c0:1000:a::b9f? ([2001:5c0:1000:a::b9f]) by mx.google.com with ESMTPS id gm5sm9939523qab.2.2013.03.29.16.09.17 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 29 Mar 2013 16:09:17 -0700 (PDT) Message-ID: <51561F19.9060606@gmail.com> Date: Fri, 29 Mar 2013 19:09:13 -0400 From: Michael Mol User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] How to prevent a dns amplification attack References: <51540497.5020008@smash-net.org> <5154A1BE.7010308@gmail.com> <201303290049.23399.peter@humphrey.ukfsn.org> <51561D51.6090405@iinet.net.au> In-Reply-To: <51561D51.6090405@iinet.net.au> X-Enigmail-Version: 1.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2ITNPPUBLJPOUDNWHGCIE" X-Archives-Salt: 8599a2f9-6188-4595-80b6-3b7c76c3b8ef X-Archives-Hash: 8fa959acd640aa290c5abd25fc31ab68 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2ITNPPUBLJPOUDNWHGCIE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 03/29/2013 07:01 PM, William Kenworthy wrote: > On 30/03/13 06:34, Paul Hartman wrote: >> On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey >> wrote: >>> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: >>> >>>> In my case, my ISP's DNS servers are slow (several seconds to reply)= , >>>> fail randomly when they should resolve, return an IP (which goes to >>>> their ad-laden "helper" website if you are using a web browser) when= >>>> they should instead return nxdomain, and they have openly admitted t= o >>>> selling customer DNS lookup history to marketers for targeted >>>> advertising. >>> >>> >>> >>> That is just evil. Have you no alternative to this ISP? >> >> Not really. >> >> I have a 100 megabit connection through the cable company; my only >> wired alternative is DSL (1.5 mbit for almost half the price I'm >> paying for 100mbit). Cellular or satellite are not viable options for >> me because of comparatively poor value, latency and miniscule data >> usage caps. >> >=20 > Can you do a tunnel to a cheap vsp instance that can access an external= > dns, and feed all your dns queries through it? Considering the problem= s > with your existing setup, that looks attractive and you can have sane > fallbacks if neccessary. >=20 > I tried this to avoid the "Australia Tax" when online shopping overseas= > and the small additional latency didnt seem to be a problem. Doesn't even need to be that complicated. Set up a free tunnel with tunnelbroker.net, and use Hurricane Electric's provided IPv6 DNS servers. They run the tunnel service as a loss-leader, and if they're doing anything funky with their DNS data, I haven't heard about it. Chances are, the local ISP won't be filtering traffic flowing across a proto41 tunnel. (IPv6 packet as an IPv4 packet payload. It's called a proto41 tunnel because 41 is placed in the "next protocol" field in the IPv4 packet.) ------enig2ITNPPUBLJPOUDNWHGCIE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRVh8cAAoJED5TcEBdxYwQtkAH/1xxRI6WsWQ+lbze5ZV83o2q hCDIw1XUBiahITHluibX9Sm4vVJBW/H6UnTEvRYg1LzJckG/kR3T8NALcFI9ZHdB GEfgp9AJ1qciMd6YT994tyngx6gpGY+RaT90u0uk56SyMxu7sw1j6YZgSA6LTbay GmBUQea0PCo7fVm9E37uHCZBAH+4HzKoObr3B65emRxpDHZWFELD8kdn3ny1s3Kh fsI1HXILCG+FC4L9vkcGo4n2MM8wefJErBT+R1MYryX5I8l7WhydCQVHIir7q2DN U5RkyCLQmfCdYDS2P6MlCp1PX0fD1jeuLZIVAaYF7+xGJdxVVi1hlv1SziKTx5E= =yJhF -----END PGP SIGNATURE----- ------enig2ITNPPUBLJPOUDNWHGCIE--