深圳普联的中继器固件被发现每 5 秒会发送 6 次 DNS 查询和 1 次 NTP 查询。它的固件硬编码了六个 NTP 服务器,没有任何的 DNS 缓存,每 5 秒查询一次这 6 个 NTP 服务器,相比之下 Windows 机器每周才发送一次 DNS 和一次 NTP 查询。
普联的做法违反了 NTP Pool 项目的规定。NTP Pool 项目要求设备制造商和供应商注册自己的 NTP 服务器池如 tplink.pool.ntp.org,不要使用默认的 pool.ntp.org,最多每五分钟检查一次。
time.nist.gov, time-a.nist.gov, time-b.nist.gov, time-nw.nist.gov
au.pool.ntp.org, nz.pool.ntp.org
133.100.9.2, 128.138.140.44, 192.36.144.22
原文链接 https://www.ctrl.blog/entry/tplink-aggressive-ntp
Secure IP: 9.9.9.9 , Blocklist, DNSSEC, No EDNS Client-Subnet
Unsecure IP: 9.9.9.10 , No blocklist, no DNSSEC, send EDNS Client-Subnet
Secure IPv6: 2620:fe::fe , Blocklist, DNSSEC, No EDNS Client-Subnet
Unsecure IPv6: 2620:fe::10 , No blocklist, no DNSSEC, send EDNS Client-Subnet
More information about Quad9 https://www.quad9.net
202.38.93.153 (教育网)
202.141.176.93 (中国移动)
202.141.162.123 (中国电信)
P.S. 5353端口与53端口共享限速配额 Continue reading »
利用域名解析服务器不验证请求源的弱点,DNS放大攻击在过去几年非常流行。攻击者伪装成攻击目标域名向全世界数以百万计的域名解析服务器发送查询请求,域名服务器返回的数据要远大于请求的数据,导致目标遭受了放大数十倍的DDoS攻击。被利用的域名服务器因此每天会收到大量的恶意请求,它也不断的遭受较小规模的DDoS攻击。防止此类攻击的一种方法是实现DNSSEC,验证DNS请求源的身份。但旧的DNS基础架构很难改变。
现在,提供防御DDoS攻击服务的Cloudflare推出了虚拟DNS服务,为域名解析服务器提供基于云端的DNS查询和缓存代理服务,由CloudFlare验证请求源的身份。
Everyone in the DNS community agrees that DNS’s security model is woefully outdated. Conceived at a time when there were fewer computers on the Internet than are housed by even today’s smallest data centers, DNS unfortunately has no strong protection against malicious parties hoping to exploit web users. What little protection it does offer is mostly derived from novel uses of non-security features (e.g., UDP source port and transaction ID randomization).
For more than 15 years, the IETF has been working on DNSSEC, a set of extensions to apply digital signatures to DNS. Millions of dollars in government grants and several reboots from scratch later, DNSSEC is just starting to see real world testing. And that testing is minimal — only about 400 of the more than 85,000,000 .com domains support DNSSEC, fewer than 20% of US government agencies met their mandated December 31, 2009 deadline for DNSSEC deployment, and only two of the thirteen root zone name servers is testing with even dummy DNSSEC data.
Aside from its lack of adoption, DNSSEC isn’t even a very satisfactory solution. It adds tremendous complexity to an already fragile protocol, significantly increases DNS traffic in size, encourages questionable security practices, and hamstrings many modern uses of DNS.
DNSCurve is more like TLS for DNS servers, in comparison to DNSSEC, which is signed records. DNSCurve uses point-to-point cryptography to secure communication, while DNSSEC uses pre-calculated signatures to ensure the accuracy of the supplied records.
So we can summaraize it like this:
DNSSEC: Accurate Results
DNSCurve: Encrypted Traffic
Theoretically you can use traffic encryption to ensure accuracy, the way TLS does for websites. Except that it’s not really the encryption that’s ensuring your accuracy, is the authentication provided through the PKI. And there’s a set of critical problems with the basic DNSCurve PKI.
The first problem here is that with DNSCurve, each and every DNS server involved needs a private key, and since the key signature is encoded into the resolver’s address, then in the case of anycast DNS servers, each server needs the same private key. But even if they use different keys, you’re still trusting the local security where the DNS Server is installed. If the server is installed somewhere hostile, then the results can be compromised. This is not true with DNSSEC.
ICANN has stated that, in the case of the DNS Root zone servers, DNSCurve will not be implemented, ever. Many of the root servers operate in less-trusted locations, and the potential for abuse by local governments would be enormous. This is precisely why DNSSEC was designed such that signing happens outside the DNS server. DNS relies on a vast network of server which may not be individually trustworthy, so DNSSEC was designed such that the trust is based solely on the informationthey serve, not the honesty of the operator.
The second problem is that DNSCurve secures the public key by encoding it into the resolver name. But DNSSEC does not sign the resolver name. This means that DNSSEC (which is implemented in the root zone) cannot be used as a trust root for DNSCurve, because the one thing that DNSCurve requires to be accurate is in fact the very thing for which DNSSEC cannot ensure accuracy.
So essentially DNSCurve is pretty much a non-starter. While it can be used to guarantee the security of your communication with a single DNS resolver, there currently is no way of globally anchoring your trust in a way that could guarantee the accuracy of any results you retrieve.
Unless DNSCurve is re-designed to allow for trusted key distribution, it will have to remain a client-side security tool rather than a tool for ensuring the authenticity of DNS records.
Since DNSCurve is relatively new and was developed largely by djb in isolation, presumably these show-stopping issues were simple oversights on his part, and may be fixed at some future date. Though given Dr. Bernstein’s track record of maintaining his inventions, I wouldn’t hold my breath.
前段时间尝试用PostgreSQL 作为BIND9的后端数据存储玩玩,发现真不错,需要的Postgresql数据库表结构简单,查询效率高、及时生效。SOA记录也是一条语句,但发送邮件需要的TXT记录出现了问题,按照SPF格式写入了以下TXT记录:“v=spf1 ip4:60.166.118.xxx include:xuplus.com -all”,结果使用nslookup查询出来的情况竟然是这样的: Continue reading »
从2011年年中开始,一些较大的域名注册商提供的免费DNS在国内基本上都被盯上了,时不时就给你掐断几条,前阵子也是因为这个原因换掉了域名的DNS。虽然现在免费DNS服务有很多,但选择起来也不是每方面都能很好的顾及到。
如使用国外的,优点是使用方便不用验证这验证那的,服务也相对靠谱,但弊端也很明显容易被墙,而使用国内的,长期看来备案这关是免不了的。所以如何选择大家还是先自己衡量清楚后再去设置,千万不要短时间频繁的修改DNS,免得网站长时间出现无法访问的情况。
下面介绍一些国内外比较有名的免费DNS服务提供商。 Continue reading »