Ten Years of easyDNS
10 years ago on this day, we removed the password block on easyDNS.com and sent out a couple of innocuous email announcements to the PHP and Mysql mailing lists announcing that we had developed a DNS management system using php and mysql and it was now open for business. We had three nameservers, 1 in our office (where the “other server”, that ran everything was), one downtown in somebody else’s cage at 151 Front street, and some friends of ours in Buffalo who were running an email company called chek.com let us run a third nameserver on one of their servers. That was the initial setup of easyDNS…
Continue reading “Ten Years of easyDNS”
Is my ISP patched for the DNS cache poisoning bug?
We’re going to start an item here to try to keep track of the ISPs who are patched for the DNS cache poisoning bug. Most of our personal contacts are here in Canada so this list will likely be comprised largely of Canadian ISPs but as we get word on other big ones, we’ll try to update them here.
So far just a couple of items but one of them is major, so I post now…
|Bell Canada:||Patched||We’ve checked with their ops team|
|Egate.net / EgateDSL||Patched||A lot of non-Bell DSL users here|
easyDNS soft launches DNSresolvers.com
With the ramifications of the DNS cache poisoning bug beginning to sink in and the first exploit code being published today, we are anticipating an accelerating number of queries from our members about this and what they can do to ensure their own DNS caching resolvers are safe to use.
We can tell you about two public DNS resolver systems you can use. One external, one we just launched ourselves:
OpenDNS: User friendly DNS lookups – with anti-phishing protection
We’ve never been in the DNS resolution or DNS resolving business. There are companies like OpenDNS who are. We know the people who run this company, they are competent and knowledgeable and we consider their service safe. That said, they also provide protection against phishing domains and they do trap NXDOMAIN traffic. Yes, they do monetize failed lookups via a search suggestion page with PPC links, individual users do have the ability to turn this off.
easyDNS launches DNSResolvers.com: no frills, pure DNS lookups – fully patched
Some of our members have expressed reservations around using any DNS resolver that “alters” the traffic in any way, including typos and non-existent domains. Which is good news for us, because we’ve done this so fast we haven’t had time to build anything like that even if we wanted to. What we did want to do is provide a couple of DNS resolvers for use by our members (or anybody else) who just want to know they’re using a system run by people who are actively following this situation and are proactively keeping their own resolvers and caching nameservers as secure as the protocol allows.
With this in mind we’ve turned up DNSresolvers.com today. No website, no user interface, at the moment it’s just a couple of resolvers with the latest security patches in place and that will continue to do so, open to use by anybody who wants. We have no idea where this will go, and it’s not really an official easyDNS “service” per se. But we wanted to do something to give our members options.
If you want to use DNSresolvers.com, the details are as follows:
cache1.dnsresolvers.com -> 220.127.116.11
cache2.dnsresolvers.com -> 18.104.22.168
DNS cache poisoning exploit released
There is a new DNS Cache poisoning disclosure that has been inadvertently leaked before it was scheduled to be released by Dan
Kaminsky (IOActive). This is a very serious flaw in the DNS protocol that impacts caching resolvers, like the resolvers hosted at your
service provider that help your workstation resolve IP addresses to domain names.
This bug does not directly impact authoritative name servers like the ones used to host your domain names at EasyDNS. Our name servers do not
request answers from external sources, and rely entirely on internal cache files to offer answers. So for example, nobody will be able to change your IP information on our end. That part of the bug is unfortunately located at the caching end.
That being said; this is still a serious flaw, and we are taking this opportunity to upgrade the DNS software on our authoritative name servers to ensure that we are 100% compatible across the board with the newly upgraded caching name servers located at your Internet Service Provider. These upgrades should not impact name resolution if you are using more than one of our name servers to serve answers for your domain name (actually, please ensure that you are).
To make sure your Internet Service Provider is up to speed, you can use Dan Kaminsky’s test script at DoxPora Research. If your Internet Service Provider is not yet up to speed, you may want to give them a nudge and/or change your DNS resolver configuration to a more trusted service.
Update It is now making news that an exploit to this attack has been released., please see our post about our newly launched DNSresolvers.com if you are looking for safe resolvers.
RESOLVED: Duplicate emails being relayed…
The issue we were experiencing previously with duplicate emails has been resolved. Customers may receive yet one more copy of the duplicate emails as our queues clear out.
Please contact Support if you continue to experience this issue: email@example.com
We apologise for any inconvenience.