• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

he.net dns servers

Started by grobe0ba, July 23, 2010, 01:06:41 AM

Previous topic - Next topic

grobe0ba

I'm curious as to the software he is using for the dns. Is it home-brew, or a commercial, open-source/etc?

snarked

If HE wants to divulge the exact package, I'll leave that to them.  However, as far as categories go, it's open source for the server itself.  I suspect there's an SQL database behind it which might have some custon work.

grobe0ba

I don't actually expect them to divulge the package they're using. From my point of view, it'd be kind of a security risk, "hey, find a vulnerability for xxxx and take down HE!" kind of thing.

brad

Quote from: grobe0ba on July 24, 2010, 08:43:03 AM
I don't actually expect them to divulge the package they're using. From my point of view, it'd be kind of a security risk, "hey, find a vulnerability for xxxx and take down HE!" kind of thing.

If anyone was going to do that they would find out on their own and not have to ask... and yes there are ways of find out what pretty much any DNS / HTTP / FTP / SMTP / POP3 / IMAP server, etc is no matter how you try to hide any versioning information or identification.

snarked

I concur.  Anyone wishing to take out the server would simply try all known exploits of all known name server software until one worked.

grobe0ba

True, but its a time saver if its openly known.

moparisthebest

Quote from: grobe0ba on July 24, 2010, 08:43:03 AM
I don't actually expect them to divulge the package they're using. From my point of view, it'd be kind of a security risk, "hey, find a vulnerability for xxxx and take down HE!" kind of thing.

Security through obscurity is a horrible policy, it really provides no security at all.

I too would like to know what DNS software is used, because no one should use a dns server unless they know it isn't subject to well known cache poisining attacks.

kriteknetworks

Since DNSSEC isn't implemented, cache poisoning is possible.

cholzhauer

And, is it really security through insecurity if they just don't say what they're running?  It's not like they're trying to mask it, they're just not sharing all of the details

moparisthebest

Quote from: kriteknetworks on July 26, 2010, 08:18:15 AM
Since DNSSEC isn't implemented, cache poisoning is possible.

But does it use random source ports and such to prevent attacks like that dan kaminski guy found last year? If we knew the type and version we could be sure.

cholzhauer

you have a good point, but keep in mind that this is a free service

broquea

#11
The software is not in danger of the Kaminski stuff or similar. At this point, any commercial or open source package should be up to date regarding that, and if it isn't you shouldn't be using it then. You don't really need to be sure, rather, we need to be since we maintain it and use it for our paying customers as well. In fact they've been using it with our paid service for years before we decided to open up our dns hosting for free, which has resulted in even more improvements thanks to all of you BETA testing it.