Stopping Open Recursion Name Server Attacks

I received an ominous e-mail from my server host Thursday:

The DNS service(s) on your server are currently open to recursive queries from the world, leaving them vulnerable to DNS cache poisoning attacks and allowing them to be used to attack other sites. Your server was reported participating in an outbound DDoS attack through means of this vulnerability by an attacker. Please ensure that recursive lookups are DISABLED in yournameserver's configuration to prevent future abuse. If you need any assistance with this procedure, please let us know.

My name server was taking requests from any user for any domain, not just the ones it was configured to handle like cadenhead.org. When a request came in for a domain on another server, it was forwarded to another server, which could forward it further.

I didn't know that this open recursion let my server be used in a denial of service attack.

I closed the vulnerability by adding an acl section and a new allow-recursion setting inside the options section of the named.conf file:

acl internal {
  67.19.3.218/29;
};

options {
  allow-recursion {
    internal;
  };
};

The acl section refers to the machine hosting the name server, which allows programs on that machine to make recursive requests. All other clients should be blocked by this configuration.

While I was poking around, I took another blogger's suggestion to turn off zone transfers from my name server, except for one machine that functions as a backup name server:

allow-transfer {
67.19.86.58;
};

Security · Linux · 2006/03/12 · 5 COMMENTS · Link

How Do I Get to Carnegie Hall?

Some bloggers have been talking up the XRSS namespace proposal I made earlier this week.

This is one proposal among three currently under development on RSS-Public, the public mailing list of the RSS Advisory Board.

The others are a new specification for the Really Simple Syndication format and a best practices profile, a set of recommendations for how RSS documents can work in the widest possible audience of aggregators, browsers and other software. I published the first draft of the profile this morning, which will be filled out one section at a time.

We could use more participants on the mailing list to work on the profile. A "best practices" document has a much better chance of being true to its name if a bunch of RSS publishers and developers contribute to it.

Rss · 2006/03/09 · 4 COMMENTS · Link

Spam Spam Spam Spam Comment Spam

Workbench doesn't require readers to set up an account before posting comments, because I like the freewheeling nature of the discussion that results from an open policy. Half the fun of writing a weblog is hearing from total strangers with an itemized list of my faults.

Because of that open policy, this site is hammered around the clock by comment spammers who want me to enlarge my penis and lose weight with phentermine so I look good the next time I play online Texas Holdem poker.

To give you an idea of how bad the problem is becoming on weblogs, this site has received 13,445 comments in the last 21 days, and 13,188 of them were comment spam, even though I have manually blocked 4,737 IP addresses because they were used for spam.

Wordzilla · 2006/03/09 · 21 COMMENTS · Link

InstaPundit on Alan Colmes

Glenn Reynolds, the publisher of the InstaPundit weblog, was a guest on the Alan Colmes Radio Show last night.

The interview, which I've attached as a 17-minute podcast, was to promote his new book An Army of Davids, which has the subtitle "How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths."

No knock on Reynolds, whose blog I enjoy in spite of our political differences, but the interview made the book sound like technoutopianism. Since the dot-com bubble, I have a low tolerance level for fables in which technology solves problems without creating new ones and the geek shall inherit the Earth.

Radio · Politics · Podcasts · 2006/03/08 · 9 COMMENTS · Link

A Case of Sticker Shock

I was driving behind a new-looking Hyundai Sonata on State Road 312 in St. Augustine yesterday when I spotted a simple black sticker along the top edge of the car's window:

ANAL INTRUDER

Anyone care to venture a guess as to what the driver was trying to convey with this sticker? I was so surprised I nearly rear-ended him.

Florida · Jacksonville · 2006/03/07 · 12 COMMENTS · Link

Moving RSS Forward with an XRSS Namespace

The Really Simple Syndication format contains only five required elements -- rss, channel, title, link and description -- and either a title or description in each item. Everything else is optional.

One way to tackle confusing aspects of RSS is by defining a new namespace, XRSS, with replacements for all of the optional elements.

The XRSS spec could document the namespaced elements and also offer advice for the required RSS elements. To show how this would work in practice, I've created an XRSS namespace spec and a sample file.

The Harvard spec is the authority over all required RSS elements described in the XRSS spec, as stated in the Elements introduction:

An XRSS document consists of five required RSS elements, two required RSS elements for each item and zero or more optional XRSS elements.

The definitions of the RSS elements in this specification are provided for convenience and MUST NOT be treated as definitive. Refer to the RSS 2.0 specification for authorititive guidance on the format.

All elements of an XRSS document that are not contained in a namespace MUST be described in this specification. All recommendations offered for RSS elements in this specification SHOULD be followed in XRSS documents."

RSS documents that use the XRSS namespace would be declared in the rss element:

<rss version="2.0" xmlns:xrss="http://www.rssboard.org/xrss">

Any document with such a declaration indicates that it follows the XRSS spec, its definition for XRSS elements, and has reviewed the best-practice recommendations for RSS elements.

All namespaced elements would be under the clear authority of the XRSS spec, removing the need to mirror the behavior of the similarly named elements in RSS.

For instance, the enclosure element could be defined so that "an item may contain more than one enclosure."

Another problem the namespace can solve is whether to use an item's link or guid when the latter is a permalink:

A publisher should provide a guid with each item. When a guid represents a permalink, it should take precedence over the item's link.

The namespace also could drop elements that serve no discernible useful purpose and are rarely implemented, such as textInput.

This would indisputably follow the RSS roadmap:

Subsequent work should happen in modules, using namespaces ...

Rss · 2006/03/07 · 6 COMMENTS · Link

The Seminal Moment at the Academy Awards

Philip Seymour Hoffman and his mother Marilyn O'Connor in separate photos.

I watched the Oscars last night even though I haven't seen a single film for which an actor, director or screenwriter was nominated. I have to go all the way down the list to "best achievement in makeup" before reaching a winner that I've seen, the Chronicles of Narnia.

I had the same experience with musicians at the Grammys and TV actors at the Emmys. At some point raising young kids and working obsessively have robbed me of all pop culture that isn't aimed at children. I was more excited to see Chicken Little and Abby Mallard present an award than any of the big winners.

This lack of entertainment knowledge could have been a good thing, but I took all of that empty space in my brain and filled it with the minutiae of blogging. I can't wait to find out what Joshua Micah Marshall and Jason Kottke wear to the Bloggies. If Mark Nottingham and Robert Sayre don't win for "best achievement in specification" it's a complete traveshamockery.

My favorite moment last night was best actor Philip Seymour Hoffman making the capstone of his acceptance speech a thank you to his mother for raising four children on her own. My parents divorced and primary custody went to my mother, so I go blubbery whenever someone with an award in his hand praises mommy.

Hoffman's mother Marilyn O'Connor is a family court judge in New York, where she issued one of the most controversial rulings in a custody case in state history. In 2004, she ordered a homeless drug-abusing couple not to have any more children until they were capable of regaining custody of the four they already had:

It is painfully obvious that a parent who has already lost to foster care all 4 of her children born over a 6-year period, with the last one having been taken from her even before she could leave the hospital, should not get pregnant again soon, if ever. She should not have yet another child which must be cared for at public expense before she has proven herself able to care for other children. The same is true for the father and his children. As to both parents, providing care for the children includes providing financial support. This is a practical, social, economic and moral reality. In effect, Bobbijean was born to a "no-parent family". She is for all practical purposes motherless and fatherless. This is not acceptable.

Parenting · Movies · 2006/03/06 · 12 COMMENTS · Link

Read More Entries

Microsoft Bob icon

Rogers Cadenhead

Social Media

Mastodon

Mastodon

Subscriptions

Workbench RSS feed RSS Feed

Blogroll

Projects

RSS Advisory Board

How to Read an RSS Feed with Java Using XOM

The RSS Advisory Board Just Turned 20

Downloading 50,000 Podcast Feeds to Analyze Their RSS

Tara Calishain Explains: What is RSS?

Be Unique And Use RSS Guid Like Everybody Else

Statistics

Line drawing of cowboy on horse

This blog has been published since Nov. 7, 1999 (a span of 9,412 days).

Thank you for visiting Workbench.

Drawing of an owl with glasses reading a book