Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: he.net dns servers  (Read 6661 times)

grobe0ba

  • Newbie
  • *
  • Posts: 21
  • EMFN Grobe, Byron A., United States Navy
he.net dns servers
« on: July 23, 2010, 01:06:41 AM »

I'm curious as to the software he is using for the dns. Is it home-brew, or a commercial, open-source/etc?
Logged

snarked

  • Hero Member
  • *****
  • Posts: 766
Re: he.net dns servers
« Reply #1 on: July 23, 2010, 11:47:50 AM »

If HE wants to divulge the exact package, I'll leave that to them.  However, as far as categories go, it's open source for the server itself.  I suspect there's an SQL database behind it which might have some custon work.
Logged

grobe0ba

  • Newbie
  • *
  • Posts: 21
  • EMFN Grobe, Byron A., United States Navy
Re: he.net dns servers
« Reply #2 on: July 24, 2010, 08:43:03 AM »

I don't actually expect them to divulge the package they're using. From my point of view, it'd be kind of a security risk, "hey, find a vulnerability for xxxx and take down HE!" kind of thing.
Logged

brad

  • Jr. Member
  • **
  • Posts: 82
Re: he.net dns servers
« Reply #3 on: July 24, 2010, 02:23:37 PM »

I don't actually expect them to divulge the package they're using. From my point of view, it'd be kind of a security risk, "hey, find a vulnerability for xxxx and take down HE!" kind of thing.

If anyone was going to do that they would find out on their own and not have to ask... and yes there are ways of find out what pretty much any DNS / HTTP / FTP / SMTP / POP3 / IMAP server, etc is no matter how you try to hide any versioning information or identification.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 766
Re: he.net dns servers
« Reply #4 on: July 24, 2010, 04:42:57 PM »

I concur.  Anyone wishing to take out the server would simply try all known exploits of all known name server software until one worked.
Logged

grobe0ba

  • Newbie
  • *
  • Posts: 21
  • EMFN Grobe, Byron A., United States Navy
Re: he.net dns servers
« Reply #5 on: July 24, 2010, 05:43:01 PM »

True, but its a time saver if its openly known.
Logged

moparisthebest

  • Newbie
  • *
  • Posts: 7
Re: he.net dns servers
« Reply #6 on: July 26, 2010, 07:43:32 AM »

I don't actually expect them to divulge the package they're using. From my point of view, it'd be kind of a security risk, "hey, find a vulnerability for xxxx and take down HE!" kind of thing.

Security through obscurity is a horrible policy, it really provides no security at all.

I too would like to know what DNS software is used, because no one should use a dns server unless they know it isn't subject to well known cache poisining attacks.
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 261
    • aRDy Music
Re: he.net dns servers
« Reply #7 on: July 26, 2010, 08:18:15 AM »

Since DNSSEC isn't implemented, cache poisoning is possible.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2715
Re: he.net dns servers
« Reply #8 on: July 26, 2010, 09:31:45 AM »

And, is it really security through insecurity if they just don't say what they're running?  It's not like they're trying to mask it, they're just not sharing all of the details
Logged

moparisthebest

  • Newbie
  • *
  • Posts: 7
Re: he.net dns servers
« Reply #9 on: July 26, 2010, 07:30:48 PM »

Since DNSSEC isn't implemented, cache poisoning is possible.

But does it use random source ports and such to prevent attacks like that dan kaminski guy found last year? If we knew the type and version we could be sure.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2715
Re: he.net dns servers
« Reply #10 on: July 26, 2010, 08:39:13 PM »

you have a good point, but keep in mind that this is a free service
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: he.net dns servers
« Reply #11 on: July 26, 2010, 08:44:51 PM »

The software is not in danger of the Kaminski stuff or similar. At this point, any commercial or open source package should be up to date regarding that, and if it isn't you shouldn't be using it then. You don't really need to be sure, rather, we need to be since we maintain it and use it for our paying customers as well. In fact they've been using it with our paid service for years before we decided to open up our dns hosting for free, which has resulted in even more improvements thanks to all of you BETA testing it.
« Last Edit: July 26, 2010, 08:51:02 PM by broquea »
Logged