AS
Ну, архитекторы вот 3-е место дали 🙂
Size: a a a
2020 May 21
DE
есть варианты использовать высоту чтобы тягу создавать, ovh кажется так делает.
DE
но не небоскреб же, да еще в исландии
AS
Ну там конкурс, где показывают довольно много подробностей и рассчетов, то есть это не просто картинка, там надо расписать внутренности аккуратно. Эту часть не видел, так что сказать сложно
AS
Это, собственно, с вебинара под названием “архитектурные фантазии”, которые прям ща идет. Передал отклик лектору, она ответила, что в контексте темы вебинара любые отклики, заканчивающиеся на “но красиво” могут считаться положительными 🙂
DE
не, разумно использовать такое можно конечно, но если деньги потратить некуда
AS
Ну, всякие архитектурные “лидеры” - всегда про деньги девать некуда. Бурж Халифа строить, например, объективно на фиг не надо было, земли вокруг завались 🙂
DE
если цель-построить красивое здание- то ок, построить датацентр - не ок:)
DE
в исландии на 10 стран красивостей хватит, это кажется не дубайский случай:)
TH
О как. Стало быть, пропустил я. А countermeasures кроме rate limit?
говорят Джеф был не прав
Maury [18] presents a different attack that also ex-
ploits the delegations of name-servers in a referral re-
sponse. However, the attack (called iDNS attack) PAF
is at most 10x. In iDNS the attacker’s name-server sends
self-delegations (back and forth to the attacker’s name-
server) up to an infinite depth. A major difference from
our work is that the glueless name-servers in the iDNS
attack are never used against an external server such as
a victim name-server. Some measures have been taken
by different DNS vendors such as BIND and UNBOUND
following the disclosure of iDNS described in [18], how-
ever these measures do not affect and do not weaken the
NXNSAttack.
Maury [18] presents a different attack that also ex-
ploits the delegations of name-servers in a referral re-
sponse. However, the attack (called iDNS attack) PAF
is at most 10x. In iDNS the attacker’s name-server sends
self-delegations (back and forth to the attacker’s name-
server) up to an infinite depth. A major difference from
our work is that the glueless name-servers in the iDNS
attack are never used against an external server such as
a victim name-server. Some measures have been taken
by different DNS vendors such as BIND and UNBOUND
following the disclosure of iDNS described in [18], how-
ever these measures do not affect and do not weaken the
NXNSAttack.
TG
Гггг
TG
What if you *only* have glue, and no authoritative answer / server?
Can I register example.com, put in www.example.com A 192.0.2.1 as
glue, and not bother with this whole annoying authoritative server
thing?
I asked this back in 2014, and was (correctly) told that this should
not work - I was pointed at RFC2181, which says:
"Unauthenticated RRs received and cached from the least trustworthy of
those groupings, that is data from the additional data section, and
data from the authority section of a non-authoritative answer, should
not be cached in such a way that they would ever be returned as
answers to a received query. They may be returned as additional
information where appropriate. Ignoring this would allow the
trustworthiness of relatively untrustworthy data to be increased
without cause or excuse."
I did some testing on this back in late 2014, and the "success" rate
was ~75% - this has now dropped to ~5% (using Atlas to measure).
What on earth am I talking about? For the domain wow4dns.com, I have
*only* got glue (answers edited for brevity):
$ dig +nostat +nocmd ns wow4dns.com @a.gtld-servers.com
;; QUESTION SECTION:
;wow4dns.com. IN NS
;; AUTHORITY SECTION:
wow4dns.com. 172800 IN NS www.wow4dns.com.
wow4dns.com. 172800 IN NS www1.wow4dns.com.
;; ADDITIONAL SECTION:
www.wow4dns.com. 172800 IN A 193.151.173.35
www1.wow4dns.com. 172800 IN A 193.151.173.35
There is no name-server listening on 193.151.173.35:
$ dig www.wow4dns.com @193.151.173.35
;; connection timed out; no servers could be reached
There is, just for giggles, a webserver...
Using 1000 RIPE Atlas nodes, I try to resolve the name www.wow4dns.com
-- according to RFC2181 this Should Not Work(tm) -- and yet, ~3-5% of
resolvers (in this run, 38 out of 984) will resolve it, and to the
correct IP. This is RIPE Measurement #25400908 [0] for those who want
to play along at home...
The majority of these resolvers are in RFC1918 space, but there are
also some public addresses, including open recursives - e.g:
$ dig www.wow4dns.com @37.32.120.136
www.wow4dns.com. 86037 IN A 193.151.173.35
$ host 37.32.120.136
136.120.32.37.in-addr.arpa domain name pointer ns1.systec.ir.
$ dig www.wow4dns.com @185.210.180.6
www.wow4dns.com. 84737 IN A 193.151.173.35
$ host 185.210.180.6
6.180.210.185.in-addr.arpa domain name pointer ns2.txtv-tz.com.
Looking in the webserver log, there are also some hits - e.g:
- - [21/May/2020:19:09:10 +0000] "GET /favicon.ico HTTP/1.1" 404 209
"http://www.wow4dns.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X
10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
Safari/537.36"
What does all of this *mean*?
.
.
.
Sorry, I haven't a clue, other than maybe:
The DNS is weird.
We passed the complexity event horizon a long time back...
W
Can I register example.com, put in www.example.com A 192.0.2.1 as
glue, and not bother with this whole annoying authoritative server
thing?
I asked this back in 2014, and was (correctly) told that this should
not work - I was pointed at RFC2181, which says:
"Unauthenticated RRs received and cached from the least trustworthy of
those groupings, that is data from the additional data section, and
data from the authority section of a non-authoritative answer, should
not be cached in such a way that they would ever be returned as
answers to a received query. They may be returned as additional
information where appropriate. Ignoring this would allow the
trustworthiness of relatively untrustworthy data to be increased
without cause or excuse."
I did some testing on this back in late 2014, and the "success" rate
was ~75% - this has now dropped to ~5% (using Atlas to measure).
What on earth am I talking about? For the domain wow4dns.com, I have
*only* got glue (answers edited for brevity):
$ dig +nostat +nocmd ns wow4dns.com @a.gtld-servers.com
;; QUESTION SECTION:
;wow4dns.com. IN NS
;; AUTHORITY SECTION:
wow4dns.com. 172800 IN NS www.wow4dns.com.
wow4dns.com. 172800 IN NS www1.wow4dns.com.
;; ADDITIONAL SECTION:
www.wow4dns.com. 172800 IN A 193.151.173.35
www1.wow4dns.com. 172800 IN A 193.151.173.35
There is no name-server listening on 193.151.173.35:
$ dig www.wow4dns.com @193.151.173.35
;; connection timed out; no servers could be reached
There is, just for giggles, a webserver...
Using 1000 RIPE Atlas nodes, I try to resolve the name www.wow4dns.com
-- according to RFC2181 this Should Not Work(tm) -- and yet, ~3-5% of
resolvers (in this run, 38 out of 984) will resolve it, and to the
correct IP. This is RIPE Measurement #25400908 [0] for those who want
to play along at home...
The majority of these resolvers are in RFC1918 space, but there are
also some public addresses, including open recursives - e.g:
$ dig www.wow4dns.com @37.32.120.136
www.wow4dns.com. 86037 IN A 193.151.173.35
$ host 37.32.120.136
136.120.32.37.in-addr.arpa domain name pointer ns1.systec.ir.
$ dig www.wow4dns.com @185.210.180.6
www.wow4dns.com. 84737 IN A 193.151.173.35
$ host 185.210.180.6
6.180.210.185.in-addr.arpa domain name pointer ns2.txtv-tz.com.
Looking in the webserver log, there are also some hits - e.g:
- - [21/May/2020:19:09:10 +0000] "GET /favicon.ico HTTP/1.1" 404 209
"http://www.wow4dns.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X
10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
Safari/537.36"
What does all of this *mean*?
.
.
.
Sorry, I haven't a clue, other than maybe:
The DNS is weird.
We passed the complexity event horizon a long time back...
W
TG
Ситуация, что ты делаешь запрос по DNS, а на сервер прилетает запрос фавиконки по HTTP, прямо лайк
TG
Если не совпадение, конечно
BL
Ситуация, что ты делаешь запрос по DNS, а на сервер прилетает запрос фавиконки по HTTP, прямо лайк
думаю, это сканер какой-то приперся просто
2020 May 22
r
Это, собственно, с вебинара под названием “архитектурные фантазии”, которые прям ща идет. Передал отклик лектору, она ответила, что в контексте темы вебинара любые отклики, заканчивающиеся на “но красиво” могут считаться положительными 🙂
А что за вебинар?
AS
А что за вебинар?
Level One (www.levelvan.ru)