Hi, now Google DNS, anything more? http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns... Eduardo.- -- Eduardo A. Suarez Facultad de Ciencias Astronomicas y Geofisicas Universidad Nacional de La Plata ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
uf, another question I'll have ask my users now: User: I can't get to the intranet.mycompanydomain.local! What did you break!? Me: Hey, you can't to the intranet,domain.local? Did you make your laptop use Google DNS? ----- Andrey Gordon [andrey.gordon@gmail.com]
Sent from my iPhone, please excuse any errors. On Dec 3, 2009, at 13:08, Andrey Gordon <andrey.gordon@gmail.com> wrote:
uf, another question I'll have ask my users now:
User: I can't get to the intranet.mycompanydomain.local! What did you break!? Me: Hey, you can't to the intranet,domain.local? Did you make your laptop use Google DNS?
1) If $COMPANY does not force their VPN client to disallow external DNS, shame on them. 2) You already have this issue. Google is hardly the first, and no where near the biggest (nor will they be in all likelihood, despite their name). 3) I know, none of that matters. You still get phone calls. 4) Welcome to the ISP business. (Another reason I Am Not An Isp. :-) -- TTFN, patrick
Andrey Gordon wrote:
uf, another question I'll have ask my users now:
User: I can't get to the intranet.mycompanydomain.local! What did you break!? Me: Hey, you can't to the intranet,domain.local? Did you make your laptop use Google DNS?
But it is soooo easy to just route 8.8.8.8 and 8.8.4.4 to ISP/enterprise internal ISP addresses, no more configuration who would have thought of that... Greets, Jeroen
On Thu, Dec 3, 2009 at 3:29 PM, Jeroen Massar <jeroen@unfix.org> wrote:
Andrey Gordon wrote:
uf, another question I'll have ask my users now:
User: I can't get to the intranet.mycompanydomain.local! What did you break!? Me: Hey, you can't to the intranet,domain.local? Did you make your laptop use Google DNS?
But it is soooo easy to just route 8.8.8.8 and 8.8.4.4 to ISP/enterprise internal ISP addresses, no more configuration who would have thought of that...
Forever? I think we're also seeing the first legacy space holder (that I'm aware of, publicly) foray into commercial LIR services. Putting this service into a legacy block was not a mistake or a stroke of luck. It's being advertised by goog. Could mean nothing, but I think it's interesting amongst the other interesting things. Best, -M< -- Martin Hannigan martin@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range. -Scott -----Original Message----- From: Jonathan Lassoff [mailto:jof@thejof.com] Sent: Thursday, December 03, 2009 1:51 PM To: nanog Subject: Re: news from Google Excerpts from Charles Wyble's message of Thu Dec 03 10:44:49 -0800 2009:
8.8.8.8 .... 6.6.6.6 would have been really really funny. :)
Nice IPs from Level 3, huh? 6.6.6.6 belongs to the US Army. --j
On Thu, Dec 3, 2009 at 12:09 PM, Scott Berkman <scott@sberkman.net> wrote:
Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range.
-Scott
I suppose I've been too brainwashed by HTTP...I looked at that, and thought that it would amusing to have a DNS server in the 4.0.2 range. ^_^; (for reference... http://en.wikipedia.org/wiki/HTTP_402#4xx_Client_Error 402 Payment Required :D Matt
LOL. One place I worked at hosted a bunch of websites and called them by business unit. so xxx_nnn One business unit was particularly problematic and frequently returned 500 errors. The version in production was xxx_4xx .... when the next major rev came out we skipped 5xx and went to 6xx. :) On Dec 3, 2009, at 12:36 PM, Matthew Petach wrote:
On Thu, Dec 3, 2009 at 12:09 PM, Scott Berkman <scott@sberkman.net> wrote:
Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range.
-Scott
I suppose I've been too brainwashed by HTTP...I looked at that, and thought that it would amusing to have a DNS server in the 4.0.2 range. ^_^;
(for reference... http://en.wikipedia.org/wiki/HTTP_402#4xx_Client_Error
402 Payment Required
:D
Matt
talking about evil http://www.bing.com/ :
Oops This isn't the page you wanted!
Try this Refresh the page. If you get this message again, please check back later.
Ref A: 7d09ba2186d4448a8dd2b99ad2c12b3a Ref B: B498C04FE4F5DC107DF8FC65998D9838 >Ref >C: Thu Dec 03 18:54:06 2009 PST
While the younger evil keeps trying to provide better and faster services the oldest one seems to be doing their best effort to screw them. PS. SANS is reporting the service down http://isc.sans.org/diary.html Cheers Jorge
That is an Akami error. On Dec 3, 2009, at 6:57 PM, Jorge Amodio wrote:
talking about evil http://www.bing.com/ :
Oops This isn't the page you wanted!
Try this Refresh the page. If you get this message again, please check back later.
Ref A: 7d09ba2186d4448a8dd2b99ad2c12b3a Ref B: B498C04FE4F5DC107DF8FC65998D9838 >Ref >C: Thu Dec 03 18:54:06 2009 PST
I think one of the things that concerns me most with Google validating and jumping on the DNS "open resolver" bandwagon is that it'll force more folks (ISPs, enterprises and end users alike) to leave DNS resolver IP access wide open. Malware already commonly changes DNS resolver settings to rogue resolvers, and removes otherwise resident malcode from the end system to avoid detection by AV and the like. One of the primary recommendations I give to enterprises is to force use of internal resolvers, and log all other attempted DNS resolution queries elsewhere, it's a quick way to detect some compromised systems. My personal recommendation is that ISPs do the same, but that's where network neutrality issues enter the picture. Of course, some of the DNS NXDOMAIN and similar "synthesis" they've been performing may perturb some users, and hence Google's service (and _many before) are presumably welcomed by casual (or expert) end users. So, DNSSEC deployment finally gets close (with validation models mostly just to the resolver) -- primarily to deal with DNS data integrity issues in the infrastructure - yet compromised end systems are simply configured to use rogue resolvers, obviating much of the benefit of the added complexity DNSSEC brings, with "dumb pipe" providers simply enabling the now nefarious transactions.. And this concern is entirely orthogonal of all the issues that arise once Google (and everyone else) decide that _overriding application-level DNS settings (e.g., for Chrome) are perfectly reasonable -- not to mention the value they find in operation of DNS infrastructure from a data mining (e.g., NXDOMAIN data == marketing intelligence/$$) that many other folks have long ago realized... -danny
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Dec 6, 2009 at 5:30 PM, Danny McPherson <danny@tcb.net> wrote:
I think one of the things that concerns me most with Google validating and jumping on the DNS "open resolver" bandwagon is that it'll force more folks (ISPs, enterprises and end users alike) to leave DNS resolver IP access wide open. Malware already commonly changes DNS resolver settings to rogue resolvers, and removes otherwise resident malcode from the end system to avoid detection by AV and the like.
One of the primary recommendations I give to enterprises is to force use of internal resolvers, and log all other attempted DNS resolution queries elsewhere, it's a quick way to detect some compromised systems. [...]
Indeed -- as this is exactly what we have seen, as discussed in the good white paper by Antoine Schonewille and Dirk-Jan van Helmond in 2006 (I've used this paper as a a reference many times), "The Domain Name Service as an IDS: How DNS can be used for detecting and monitoring badware in a network": http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLHFxJq1pz9mNUZTMRAti9AKDYQalIoQ5aHDjsRzU9bz6ulxVLUwCePYbW v3KSVdE37Uyz/GXhC0dhaA0= =K0HW -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
enter the picture. Of course, some of the DNS NXDOMAIN and similar "synthesis" they've been performing may perturb some users, and hence Google's service (and _many before) are presumably welcomed by casual (or expert) end users.
What really concerns me is that some ISPs these days are assuming that given that "best practices" are not mandatory, creating "bad habits" for some revenue gain it's OK. We all will be better if they stop using the DNS for what it is not and we focus investment and engineering talent to create new *real* services and improve existing ones. My .02 Jorge
So, why do I have a creeping feeling that google is just running software on level3's servers? Isn't 8.0.0.0/8 announced by level3. Wouldn't that suck up 8.8.8.0/24 and 8.8.4.0/24? On Thu, Dec 3, 2009 at 3:09 PM, Scott Berkman <scott@sberkman.net> wrote:
Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range.
-Scott
-----Original Message----- From: Jonathan Lassoff [mailto:jof@thejof.com] Sent: Thursday, December 03, 2009 1:51 PM To: nanog Subject: Re: news from Google
Excerpts from Charles Wyble's message of Thu Dec 03 10:44:49 -0800 2009:
8.8.8.8 .... 6.6.6.6 would have been really really funny. :)
Nice IPs from Level 3, huh?
6.6.6.6 belongs to the US Army.
--j
-- Andrew Euell andyzweb [at] gmail [dot] com
On Sat, Dec 12, 2009 at 4:39 AM, Andrew Euell <andyzweb@gmail.com> wrote:
So, why do I have a creeping feeling that google is just running software on level3's servers? Isn't 8.0.0.0/8 announced by level3. Wouldn't that suck up 8.8.8.0/24 and 8.8.4.0/24?
On Thu, Dec 3, 2009 at 3:09 PM, Scott Berkman <scott@sberkman.net> wrote:
Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range.
-Scott
-----Original Message----- From: Jonathan Lassoff [mailto:jof@thejof.com] Sent: Thursday, December 03, 2009 1:51 PM To: nanog Subject: Re: news from Google
Excerpts from Charles Wyble's message of Thu Dec 03 10:44:49 -0800 2009:
8.8.8.8 .... 6.6.6.6 would have been really really funny. :)
Nice IPs from Level 3, huh?
6.6.6.6 belongs to the US Army.
--j
-- Andrew Euell andyzweb [at] gmail [dot] com
8.8.8.0/24 and 8.8.4.0/24 are being announced by AS15169. That is a more specific route than 8.0.0.0/8. inet.0: 309980 destinations, 1777244 routes (309955 active, 17 holddown, 9 hidden) + = Active Route, - = Last Active, * = Both 8.8.8.0/24 *[BGP/170] 8w4d 00:05:54, MED 0, localpref 100 AS path: 3356 15169 I [BGP/170] 5w2d 20:30:42, MED 0, localpref 100 AS path: 3356 15169 I [BGP/170] 3d 04:32:51, localpref 100 AS path: 7843 15169 I [BGP/170] 6w4d 21:27:00, MED 0, localpref 100 AS path: 3549 15169 I [BGP/170] 4w2d 03:31:39, MED 2, localpref 100 AS path: 2828 7018 15169 I [BGP/170] 1w1d 06:31:35, MED 4, localpref 100 AS path: 1239 3356 15169 I inet.0: 309984 destinations, 1777256 routes (309970 active, 6 holddown, 9 hidden) + = Active Route, - = Last Active, * = Both 8.8.4.0/24 *[BGP/170] 4w4d 16:27:35, MED 0, localpref 100 AS path: 3549 15169 I [BGP/170] 4w1d 21:57:42, MED 0, localpref 100 AS path: 3356 15169 I [BGP/170] 3d 04:36:18, localpref 100 AS path: 7843 15169 I [BGP/170] 4w4d 16:27:48, MED 0, localpref 100 AS path: 7922 15169 I [BGP/170] 5d 02:13:20, MED 3, localpref 100 AS path: 2828 3356 15169 I [BGP/170] 1w1d 06:35:02, MED 4, localpref 100 AS path: 1239 3356 15169 I -Josh
For sure...everyone remembers the Bill Gates Borg picture, but at this rate, Google will soon become the new poster child for that picture (or something comparable). Bret On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:
No kiddng. I must be the only one who is getting tired of seeing Google take over literally everything.
~Seth
On Thu, Dec 3, 2009 at 1:12 PM, Bret Clark <bclark@spectraaccess.com> wrote:
For sure...everyone remembers the Bill Gates Borg picture, but at this rate, Google will soon become the new poster child for that picture (or something comparable).
Bret
I try to think of them as a benevolent dictator ;) -brandon
On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:
No kiddng. I must be the only one who is getting tired of seeing Google take over literally everything.
~Seth
-- Brandon Galbraith Mobile: 630.400.6992 FNAL: 630.840.2141
On Thu, Dec 3, 2009 at 1:12 PM, Bret Clark <bclark@spectraaccess.com> wrote:
For sure...everyone remembers the Bill Gates Borg picture, but at this rate, Google will soon become the new poster child for that picture (or something comparable).
Bret
On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:
No kiddng. I must be the only one who is getting tired of seeing Google take over literally everything.
~Seth
I think of this as an obvious (not necessarily beneficial for all, of course) step for a company which lives out of advertisement - i.e. what if they could capture your habits for browsing at the FQDN-to-IP time - wouldn't that add more to their knowledge base? ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius
I think of this as an obvious (not necessarily beneficial for all, of course) step for a company which lives out of advertisement - i.e. what if they could capture your habits for browsing at the FQDN-to-IP time - wouldn't that add more to their knowledge base?
They have a lot of smart people there trying to provide a good service and do smart things, but as they are smart if a large number of users use their resolvers that's a lot of juicy statistics that can be monetized in some way. They will find the way to do it. IMHO. Jorge
I think of this as an obvious (not necessarily beneficial for all, of course) step for a company which lives out of advertisement - i.e. what if they could capture your habits for browsing at the FQDN-to-IP time - wouldn't that add more to their knowledge base?
I think there are amazing opportunities to data mine and prevent fraud if you can get a percentage of your users using this. I'm really excited about the structured attacks that will be run against this thing (cache poisoning... and nastier)... if (for example) when their (or someone's) toolbar is installed, they ask if you'd like to use their "improved" dns service [perhaps they have the whole universe cached to reduce lookup times]. You'd sign up. And as the wave of software updates proceeds... well, talk about all your eggs in one basket. Smart ISPs will have an ACL ready to hijack external DNS requests for their whole network in the (inevitable) event something *bad* happens one day and you need to restore service to your customers faster than they can figure out how to fix it themselves. Just a thought. Deepak
Deepak Jain wrote:
I think there are amazing opportunities to data mine and prevent fraud if you can get a percentage of your users using this.
I'm really excited about the structured attacks that will be run against this thing (cache poisoning... and nastier)... if (for example) when their (or someone's) toolbar is installed, they ask if you'd like to use their "improved" dns service [perhaps they have the whole universe cached to reduce lookup times]. You'd sign up.
I agree in a role-reversal method. I think there are amazing methods to study the correlation and statistical rate of criminal groups and how they're amassing so much data making things nTimes easier to steal, spoof and create more frauds. Thanks Google! In fact, because they'd now have one more tool to work against them, its only a matter of time before they become smarter (those tinkerers!) That leaves forensics experts with something to gripe about. Too much of a workload. http://www.youtube.com/watch?v=pq3YdpB6N9M -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Stefan wrote:
I think of this as an obvious (not necessarily beneficial for all, of course) step for a company which lives out of advertisement - i.e. what if they could capture your habits for browsing at the FQDN-to-IP time - wouldn't that add more to their knowledge base?
I'm certain they will be gathering statistics. ~Seth
http://www.collegehumor.com/article:1793643 --bill On Thu, Dec 03, 2009 at 02:12:58PM -0500, Bret Clark wrote:
For sure...everyone remembers the Bill Gates Borg picture, but at this rate, Google will soon become the new poster child for that picture (or something comparable).
Bret
On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:
No kiddng. I must be the only one who is getting tired of seeing Google take over literally everything.
~Seth
On Thu, 3 Dec 2009, Seth Mattinen wrote:
Jorge Amodio wrote:
now Google DNS, anything more?
I'm surprised that Google's new DNS service does not return better results for google.com than some local DNS resolvers do. My server is in Fairfax, VA. Does Google use Anycast'ed IPs or is it still a hybrid of split-horizon DNS and other things, as discussed previously: http://www.merit.edu/mail.archives/nanog/2009-02/threads.html#00269 Here's the results from some various DNS servers for Google.com. I thought Google had a datacenter in Ashburn, VA, but I'm not getting there. Maybe it's gone. Maybe the shortest route doesn't matter anymore. --> dig +short google.com @208.67.222.222 # OpenDNS 74.125.53.100 74.125.67.100 74.125.45.100 --> dig +short google.com @8.8.8.8 # Google DNS 74.125.67.100 74.125.53.100 74.125.45.100 --> dig +short google.com @8.8.4.4 # Google DNS 2 74.125.67.100 74.125.53.100 74.125.45.100 --> dig +short google.com @198.6.1.1 # UUNET/Verizon Cache server (cache00.ns.uu.net) 74.125.53.100 74.125.67.100 74.125.45.100 --> dig +short google.com @198.6.1.2 74.125.45.100 74.125.53.100 74.125.67.100 --> dig +short google.com @198.6.1.3 74.125.45.100 74.125.67.100 74.125.53.100 --> dig +short google.com @198.6.1.4 74.125.45.100 74.125.53.100 74.125.67.100 --> dig +short google.com @198.6.1.5 74.125.67.100 74.125.45.100 74.125.53.100 * --> dig +short google.com @70.164.18.41 # Nova.org (Small VA ISP) Caching DNS 74.125.45.100 74.125.53.100 74.125.67.100 * --> dig +short google.com @208.94.147.150 # Tiggee DNS (VA company) 74.125.45.100 74.125.67.100 74.125.53.100 --> ping -c 10 74.125.45.100 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 18.079/20.522/25.272/2.200 ms --> ping -c 10 74.125.53.100 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 97.721/101.267/107.770/2.856 ms --> ping -c 10 74.125.67.100 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 97.531/99.238/101.206/1.420 ms Only the last two starred DNS records returned what _seems_ to be the best result for Google.com. Then again, someone from Google might be able to explain the logic behind the results. And to rip off the bandaid on the "What DNS Is Not" discussion, Google's DNS does return the expected NXDOMAIN for the very small test I did. --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On 12/3/09 11:48 AM, Seth Mattinen wrote:
Jorge Amodio wrote:
now Google DNS, anything more?
GoogleNation.
No kiddng. I must be the only one who is getting tired of seeing Google take over literally everything.
~Seth
Why is it that people start cracking out at the thought of Google offering a free service that people might have an actual use for and that is completely optional and used by choice? It's a free service people! No different then Hotmail, or Yahoo Mail, or Gmail, AOL Instant Messenger, MSN Messenger... Use it if you want, but if you don't, so be it. They're not holding a gun to your head. It would be one thing if installing Google Chrome or similar changed your DNS settings without your knowledge. MS in the past forced MSN Messenger onto people by default in most Windows installs, and the world didn't end. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Brielle Bruns wrote:
Why is it that people start cracking out at the thought of Google offering a free service that people might have an actual use for and that is completely optional and used by choice?
I take it you've never been on the receiving end of a "the whole internet is down it's your fault cuz google never breaks" call when google hiccups? ~Seth
I generally like goog's services and the fact that they are free, but sometimes google makes me think of all those futuristic movies where there is a single corporation running the world, everyone is 'tagged' and tracked 24/7 and everyone who works for that corporation are happy campers and live in clean and modern neighborhoods and the rest of the people are scam of the earth and live in the sewer. IMHO that's where we are heading with google taking over every service imaginable. That's the feeling I get from google. ----- Andrey Gordon [andrey.gordon@gmail.com] On Thu, Dec 3, 2009 at 4:44 PM, Seth Mattinen <sethm@rollernet.us> wrote:
Brielle Bruns wrote:
Why is it that people start cracking out at the thought of Google offering a free service that people might have an actual use for and that is completely optional and used by choice?
I take it you've never been on the receiving end of a "the whole internet is down it's your fault cuz google never breaks" call when google hiccups?
~Seth
You mean like this? http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps-data-to-leos-over-8-million-times.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss and this? http://almartinraw.com/public/column417.html just wait til google sews up all voice communications. On Thu, Dec 03, 2009 at 04:49:39PM -0500, Andrey Gordon's said:
sometimes google makes me think of all those futuristic movies where there is a single corporation running the world, everyone is 'tagged' and tracked 24/7 and everyone who works for that corporation are happy campers and live in clean and modern neighborhoods and the rest of the people are scam of the earth and live in the sewer. IMHO that's where we are heading with google taking over every service imaginable. That's the feeling I get from google.
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Or the whole turning over records from Youtube... Nothing prevents them from changing policies in the future when it becomes more difficult for millions of users to change away... (vis-à-vis the uproar when FB was going to change its privacy policy and more as it continues to do so).
-----Original Message----- From: Ken Chase [mailto:math@sizone.org] Sent: Thursday, December 03, 2009 5:29 PM To: nanog@nanog.org Subject: Re: news from Google
You mean like this?
http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps- data-to-leos-over-8-million- times.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
and this?
http://almartinraw.com/public/column417.html
just wait til google sews up all voice communications.
sometimes google makes me think of all those futuristic movies where
is a single corporation running the world, everyone is 'tagged' and
On Thu, Dec 03, 2009 at 04:49:39PM -0500, Andrey Gordon's said: there tracked
24/7 and everyone who works for that corporation are happy campers and live in clean and modern neighborhoods and the rest of the people are scam of the earth and live in the sewer. IMHO that's where we are heading with google taking over every service imaginable. That's the feeling I get from google.
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
On 12/3/09 2:44 PM, Seth Mattinen wrote:
I take it you've never been on the receiving end of a "the whole internet is down it's your fault cuz google never breaks" call when google hiccups?
Actually, I have. I used to have to deal with gems like 'Your DNS server is attacking my machine in port 53 UDP!' all the time. End users will always do what they want without needing help from anyone but themselves. My position has, and always will be, you are on your own if you deviate from the standard configuration we provide. My current users understand that, and have gotten to the point where they'll admit up front if they changed something, without me needing to ask. Considering our messing up something costs them $0 vs. a service call from us that starts at $50 and goes up, the economics of playing with settings that work fine gets expensive, and they know this. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Thu, Dec 03, 2009 at 02:04:55PM -0700, Brielle Bruns's said:
Why is it that people start cracking out at the thought of Google offering a free service that people might have an actual use for and that is completely optional and used by choice?
It's a free service people! No different then Hotmail, or Yahoo Mail, or Gmail, AOL Instant Messenger, MSN Messenger... Use it if you want, but if you don't, so be it. They're not holding a gun to your head.
What happened to the free but private fire brigades (as popularized in the movie Gangs of...) - how did they get under the aegis of municipal govts? (Those damn socialist fire depts! :) Things that become essential services need quality management and control to ensure equal access to all and reduce abuses. Just because its free doesnt mean it's being done right or should continue as it is without oversight or regulation. In fact, Canada's privacy commissioner recently ruled on Facebook's policies and asked them to change significant things about the way the handle personal information and allow opt-ins and outs. "It's free, so why should anyone have any say in it, least of all the govt?" is your argument here. Access to internet/Email has been ruled as an essential service in (parts?) of the EU FWIG. The Canadian govt also has programs to help fund access to remote/ rural/isolated communities for eg. We all know that google is leveraging cross-referenceable information from all of its services for its profit/advantage, to the detriment of people's privacy and choice. Concentrating that much of internet services into one organization puts alot of power into one pair of hands. Information is power, and absolute power corrupts... and if it doesnt corrupt you, then at least the NSA would like to have tea and a conversation with you. /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase <math@sizone.org> wrote:
We all know that google is leveraging cross-referenceable information from all of its services for its profit/advantage ...
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Ken, this was addressed in the announcement: http://code.google.com/speed/public-dns/privacy.html We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information. http://code.google.com/speed/public-dns/faq.html#account http://code.google.com/speed/public-dns/faq.html#shared http://code.google.com/speed/public-dns/faq.html#info Is any of the information collected stored with my Google account? No. Does Google share the information it collects from the Google Public DNS service with anyone else? No. Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.? No. Hope this helps. --PSRC
Thanks for the updates Paul, good to see such policies in place at Google. I still personally hope for the great benevolent open-source-trumpeting /privacy-protecting giant to exist and operate exactly as it does in geeks' wildest fantasies. Really I do. However, I suppose you can make few admissions regarding law enforcement or other govt surveillance queries regarding those 24 or 48 hours of log retention. (It's likely illegal for you to comment, if you do know anything.) I'd love to know what google's policies are there (if any?) - and what kind of latitude google really has over refusing certain types of request, or even refusing to build in certain features that would be useful to law enforcement. But again, you might not be allowed to comment. While google does not do the cross referencing, can law enforcement request logs from various google services seperately and do their own cross referencing based on IP and timestamp? Of course for some obscure site (say ostensibly containing 'typical terrorist profile ideological writings' for a cliched example), those 24-48 hours of logs would positively tie an IP address to at least looking up the site hosting such materials, strengthening evidence that the user visited that site. This is a more wide ranging collection of information than google's search engine (which has its own privacy safeguards im not mentioning right now) as using google dns would log EVERY transaction (other than by raw IP) that the user did on the internet (not just google searches or using the web). This makes an extrordinarily attractive target for law enforcement. Even with strong policies in effect now, Im not sure that anything that currently stops law enforcement wont be challenged or secretly overridden sometime in the future. "Build it and they will come." /kc On Thu, Dec 03, 2009 at 05:20:38PM -0500, Paul S. R. Chisholm's said:
Ken, this was addressed in the announcement:
http://code.google.com/speed/public-dns/privacy.html
We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information.
http://code.google.com/speed/public-dns/faq.html#account http://code.google.com/speed/public-dns/faq.html#shared http://code.google.com/speed/public-dns/faq.html#info
-- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
topically related, it's actually news from Mozilla: http://www.computerworld.com/s/article/9142106/Mozilla_exec_suggests_Firefox... from the horse's mouth, as it were. So, how bout that DNS. /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Another one for the collection http://www.circleid.com/posts/dot_google_before_christmas/ Cheers Jorge
On Thu, Dec 3, 2009 at 2:20 PM, Paul S. R. Chisholm <psrchisholm@gmail.com>wrote:
On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase <math@sizone.org> wrote:
We all know that google is leveraging cross-referenceable information from all of its services for its profit/advantage ...
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Ken, this was addressed in the announcement:
http://code.google.com/speed/public-dns/privacy.html
We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information.
http://code.google.com/speed/public-dns/faq.html#account http://code.google.com/speed/public-dns/faq.html#shared http://code.google.com/speed/public-dns/faq.html#info
Is any of the information collected stored with my Google account? No. Does Google share the information it collects from the Google Public DNS service with anyone else? No. Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.? No.
Hope this helps. --PSRC
And this will never change? Not even when you check the box for the latest update that says it changes some terms and here is the link,,,,,,, Bruce -- “Discovering...discovering...we will never cease discovering... and the end of all our discovering will be to return to the place where we began and to know it for the first time.” -T.S. Eliot
Bruce Williams wrote: On Thu, Dec 3, 2009 at 2:20 PM, Paul S. R. Chisholm [1]<psrchisholm@gmail.com>wrote On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase [2]<math@sizone.org> wrote: We all know that google is leveraging cross-referenceable information from all of its services for its profit/advantage ... /kc -- Ken Chase - [3]ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. Ken, this was addressed in the announcement: [4]http://code.google.com/speed/public-dns/privacy.html We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information. [5]http://code.google.com/speed/public-dns/faq.html#account [6]http://code.google.com/speed/public-dns/faq.html#shared [7]http://code.google.com/speed/public-dns/faq.html#info Is any of the information collected stored with my Google account? No. Does Google share the information it collects from the Google Public DNS service with anyone else? No. Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.? No. Hope this helps. --PSRC And this will never change? Not even when you check the box for the latest update that says it changes some terms and here is the link,,,,,,, Bruce The Adsense tracking cookie was once an opt-in, but after Google acquired that company and crushed the competition it became an opt-out, unbeknownst to many consumers. This is the way these generally go. Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing. -- Richard Bennett References 1. mailto:psrchisholm@gmail.com 2. mailto:math@sizone.org 3. mailto:ken@heavycomputing.ca 4. http://code.google.com/speed/public-dns/privacy.html 5. http://code.google.com/speed/public-dns/faq.html#account 6. http://code.google.com/speed/public-dns/faq.html#shared 7. http://code.google.com/speed/public-dns/faq.html#info
"We plan to share what we learn from this experimental rollout of Google Public DNS with the broader web community and other DNS providers, to improve the browsing experience for Internet users globally." I wonder how the world managed to function before Google came along.... Bruce On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Bruce Williams wrote:
On Thu, Dec 3, 2009 at 2:20 PM, Paul S. R. Chisholm<psrchisholm@gmail.com> <psrchisholm@gmail.com>wrote
On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase <math@sizone.org> <math@sizone.org> wrote:
We all know that google is leveraging cross-referenceable information
from all
of its services for its profit/advantage ...
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151
Front St. W.
Ken, this was addressed in the announcement: http://code.google.com/speed/public-dns/privacy.html
We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information. http://code.google.com/speed/public-dns/faq.html#accounthttp://code.google.c...
Is any of the information collected stored with my Google account? No. Does Google share the information it collects from the Google Public DNS service with anyone else? No. Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.? No.
Hope this helps. --PSRC
And this will never change? Not even when you check the box for the latest update that says it changes some terms and here is the link,,,,,,,
Bruce
The Adsense tracking cookie was once an opt-in, but after Google acquired that company and crushed the competition it became an opt-out, unbeknownst to many consumers. This is the way these generally go. Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing.
-- Richard Bennett
-- “Discovering...discovering...we will never cease discovering... and the end of all our discovering will be to return to the place where we began and to know it for the first time.” -T.S. Eliot
On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing.
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones. ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry) -chris
You really cant count the open Level3/GTEI DNS servers as a competitor for OpenDNS or what Google has just released. These are completely unsupported, and use of these servers from outside Level 3 has been blocked/delayed at different times. I use these all the time for testing and for my own personal use, but depending on these for anything production is a very bad idea. Plus OpenDNS's model is based on selling you their higher level services, while I am sure Google will eventually link the service to google accounts to track your web usage just like they track, index, and show you ads based on your web searches, email messages, etc. Then again, depending on OpenDNS, Google, or anything else outside your control for production services probably isn't a good idea anyway. -Scott -----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, December 04, 2009 1:25 PM To: Richard Bennett Cc: nanog@nanog.org; ken@heavycomputing.ca Subject: Re: news from Google On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing.
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones. ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry) -chris
Put one more down on the evil list ... http://www.techcrunch.com/2009/12/04/google-acquires-appjet-etherpad/ Cheers Jorge
On Dec 4, 2009, at 11:44 AM, Jorge Amodio wrote:
Put one more down on the evil list ...
http://www.techcrunch.com/2009/12/04/google-acquires-appjet-etherpad/
Cheers Jorge
Come on. Acquiring a company is now considered evil? Of course there are repercussions to any acquisition. Many companies however have been acquired by Google and are not evil at all. Many companies retain their independence after being acquired. I have enjoyed Google's services for years and never once considered them evil. Everyone should enjoy the fruits of their labor and the services they provide.
Hmm, all these resolution services being advertised Internet-wide by their [temporary?] IP addresses... it is an interesting variation of we put some work into best practice considerations along these lines a few years ago: Embedding Globally-Routable Internet Addresses Considered Harmful BCP 105, RFC 4085: http://www.rfc-editor.org/rfc/bcp/bcp105.txt So, a polite reminder: (while I am well aware that host needs to identify an initial DNS server by IP address, to bootstrap the process) there is a documented history of bad things having happened when publicly-advertised, "popular" Internet services were identified by unique, globally-routable IP addresses without the use of some other rendezvous mechanism (DNS, DHCP, etc.). The addresses, and thus the prefixes in which they reside, become encumbered by their past uses, thus diminishing the ability to reuse those address blocks and raising the unfortunate consideration to legitimately block or hijack those IP addresses to deal with unexpected traffic load or security issues. When the address for one's recursive DNS server is, instead, gotten from a local DHCP server (or by local policy) then there is at least the possibility, by responsible operators, to limit unwanted traffic destined for those addresses in [inevitable] future. Dave On Fri, Dec 04, 2009 at 10:25:11AM -0800, Christopher Morrow wrote:
On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing.
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones.
ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry)
-chris
-- plonka@cs.wisc.edu http://net.doit.wisc.edu/~plonka/ Madison, WI
On Fri, Dec 4, 2009 at 1:25 PM, Christopher Morrow <morrowc.lists@gmail.com>wrote:
On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing.
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones.
ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry)
-chris
Why did Google put an infrastructure critical application into PA space? -- Martin Hannigan martin@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
On Fri, Dec 04, 2009 at 03:34:10PM -0500, Martin Hannigan wrote:
On Fri, Dec 4, 2009 at 1:25 PM, Christopher Morrow <morrowc.lists@gmail.com>wrote:
On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing.
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones.
ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry)
-chris
Why did Google put an infrastructure critical application into PA space?
whats PA space in this context? clearly 8.0.0.0/8 was allocated prior to any current group-think about what PA might be. --bill
On Fri, Dec 4, 2009 at 4:37 PM, <bmanning@vacation.karoshi.com> wrote:
On Fri, Dec 4, 2009 at 1:25 PM, Christopher Morrow <morrowc.lists@gmail.com>wrote:
On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to
On Fri, Dec 04, 2009 at 03:34:10PM -0500, Martin Hannigan wrote: the
monetizing.
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones.
ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry)
-chris
Why did Google put an infrastructure critical application into PA space?
whats PA space in this context? clearly 8.0.0.0/8 was allocated prior to any current group-think about what PA might be.
--bill
Let's call it "conceptual PA". I'm simply asking why something that has the potential to impact all of us is being numbered into address space other than their own? And before the thinkpol start in, I'm referring to the v4 addresses and their status. It's a fair question since it has major impact on the net. If the store for legacy v4 addresses is open I'd like to know what street it's on. Best, -M< -- Martin Hannigan martin@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
I don' think that google will be able to kill opendns right now. Neither google nor any of the other well known DNS services provide the "value-added services" that OpenDNS does, such as filtering, etc which can be a godsend for small businesses that can't afford a rackful of gear... BGC On Dec 4, 2009, at 5:15 PM, Martin Hannigan wrote:
On Fri, Dec 4, 2009 at 4:37 PM, <bmanning@vacation.karoshi.com> wrote:
On Fri, Dec 4, 2009 at 1:25 PM, Christopher Morrow <morrowc.lists@gmail.com>wrote:
On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett <richard@bennett.com> wrote:
Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to
On Fri, Dec 04, 2009 at 03:34:10PM -0500, Martin Hannigan wrote: the
monetizing.
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones.
ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry)
-chris
Why did Google put an infrastructure critical application into PA space?
whats PA space in this context? clearly 8.0.0.0/8 was allocated prior to any current group-think about what PA might be.
--bill
Let's call it "conceptual PA". I'm simply asking why something that has the potential to impact all of us is being numbered into address space other than their own?
And before the thinkpol start in, I'm referring to the v4 addresses and their status. It's a fair question since it has major impact on the net. If the store for legacy v4 addresses is open I'd like to know what street it's on.
Best,
-M<
-- Martin Hannigan martin@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Martin Hannigan expunged (martin@theicelandguy.com):
Why did Google put an infrastructure critical application into PA space?
I'm not sure what the policy is now, but it seemed that when I was at L3 (losing my memory at this point) 4/8 was used as PA space and 8/8 was basically handed out as PI space. I could be wrong... -Steve
On 04/12/09 19:25, Christopher Morrow wrote:
one note: OpenDNS is not the only 'competitor' here.... just one of the better obviously known ones.
ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry)
I maintain a list here [1], many of which are reachable with IPv6. [1] http://www.chaz6.com/files/resolv.conf
I think this article best articulates what is going on with Google DNS http://www.pcmag.com/article2/0,2817,2356703,00.asp most people are not going to reconfigure their routers to use gdns as a secondary dns -henry ________________________________ From: Chris Hills <chaz@chaz6.com> To: nanog@nanog.org Sent: Sat, December 5, 2009 5:21:24 AM Subject: Re: news from Google On 04/12/09 19:25, Christopher Morrow wrote:
one note: OpenDNS is not the only 'competitor' here..... just one of the better obviously known ones.
ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry)
I maintain a list here [1], many of which are reachable with IPv6. [1] http://www.chaz6.com/files/resolv.conf
On Sat, 5 Dec 2009, Chris Hills wrote:
I maintain a list here [1], many of which are reachable with IPv6. [1] http://www.chaz6.com/files/resolv.conf
Not all of those are open resolvers, so I wonder what the cirteria for listing are. I'm especially surprised to see the IPv6 addresses of Cambridge's resolvers there. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
On 08/12/09 23:19, Tony Finch wrote:
On Sat, 5 Dec 2009, Chris Hills wrote:
I maintain a list here [1], many of which are reachable with IPv6. [1] http://www.chaz6.com/files/resolv.conf
Not all of those are open resolvers, so I wonder what the cirteria for listing are. I'm especially surprised to see the IPv6 addresses of Cambridge's resolvers there.
The criteria is basically "any server with a public ipv4/ipv6 address that provides a recursive dns service". Those that may be unreachable from off-net are marked "filtered". I have added a note explaining this.
Why is it that people start cracking out at the thought of Google offering a free service that people might have an actual use for and that is completely optional and used by choice?
It's a free service people! No different then Hotmail, or Yahoo Mail, or Gmail, AOL Instant Messenger, MSN Messenger... Use it if you want, but if you don't, so be it. They're not holding a gun to your head. Can you make that same statement when Google Chrome OS is released or future versions of Android are released? It would be naive to think
Brielle Bruns wrote: that Google wouldn't try to default the DNS to there services with those OS'...no "for profit" company does something for free without an underlying motive. I don't think people have problems necessarily with Google getting into all this stuff, but at some point, if whatever users are doing always has Google as an initial destination, it becomes a concern and I think that is the underlying argument for most people Just my 2 cents, Bret
On Thu, 3 Dec 2009, Jorge Amodio wrote:
now Google DNS, anything more?
GoogleNation.
Google Opt-out Village: http://www.theonion.com/content/video/google_opt_out_feature_lets_users -Hank
Eduardo A. Suárez wrote:
Hi,
now Google DNS, anything more?
http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns...
Eduardo.-
yawn. So not interested.
now Google DNS, anything more?
http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns...
Probably in support of their various Android netbooks that are in the pipe. They'll likely come pre-configured to use GoogleDNS .. that way they won't (accidentally) loose ad/search revenue when a "helpful" ISP redirects NXDOMAIN responses. Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities". Cheers, Michael Holstein Cleveland State University
Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities".
I do hear of ISPs blocking requests to random offsite DNS servers. For most consumer PCs, that's more likely to be a zombie doing DNS hijacking than anything legitimate. If they happen also to block 8.8.8.8 that's just an incidental side benefit. R's, John
On Dec 7, 2009, at 5:29 PM, John Levine wrote:
Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities".
I do hear of ISPs blocking requests to random offsite DNS servers. For most consumer PCs, that's more likely to be a zombie doing DNS hijacking than anything legitimate. If they happen also to block 8.8.8.8 that's just an incidental side benefit.
I've found more and more hotel/edge networks blocking/capturing this traffic. The biggest problem is they tend to break things horribly and fail things like the oarc entropy test. They will often also return REFUSED (randomly) to valid well formed DNS queries. While I support the capturing of malware compromised machines until they are repaired, I do think more intelligence needs to be applied when directing these systems. Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80, TCP/443. The University of Michigan Hospitals have a guestnet wireless that is ghetto and blocks IMAP over SSL. Attempts to get them to correct this have fallen on deaf ears. I can't even VPN out to work around the sillyness, which typically works in other hotel/guestnet scenarios. Providers to avoid: US Signal Corporation. (64.141.138.226 was my natted IP in a Hampton Inn depsite whois/swip). - Jared
Jared Mauch wrote:
The University of Michigan Hospitals have a guestnet wireless that is ghetto and blocks IMAP over SSL. Attempts to get them to correct this have fallen on deaf ears. I can't even VPN out to work around the sillyness, which typically works in other hotel/guestnet scenarios.
Providers to avoid: US Signal Corporation. (64.141.138.226 was my natted IP in a Hampton Inn depsite whois/swip).
- Jared
I'm pretty sure that's the hotel doing the blocking, USS isn't the type to enforce anything specific like that that I've found as they're a wholesaler and blocking that stuff tends to annoy those who are whiteboxing their product. They definitely don't do anything like that on their transit links. -Paul
On 12/7/09 4:00 PM, Jared Mauch wrote:
Providers to avoid: US Signal Corporation. (64.141.138.226 was my natted IP in a Hampton Inn depsite whois/swip).
Add Air2Data (seen in Best Western in WY). 20 someodd APs, all routerboards, all same SSID, overlapping channels, hijacking 80 and 53. When using PPTP or IPSec VPN, the AP chokes and locks out all other clients, eventually stops responding completely. SpeedLinks (once again, Best Western, in Tacoma, WA) was almost as bad. Port 53 hijacking, flakey PPTP support, no ethernet jacks. I'm noticing alot of these places are doing things which work perfectly with Windows, but not Mac, Linux, etc. Drives me bonkers, and we make sure to let management know we won't stay at their hotel in the future because of said issues. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Dec 7, 2009, at 7:23 PM, Brielle Bruns wrote:
I'm noticing alot of these places are doing things which work perfectly with Windows, but not Mac, Linux, etc. Drives me bonkers, and we make sure to let management know we won't stay at their hotel in the future because of said issues.
I'd prefer to not create a blacklist of hotels that have ghetto internet access, but perhaps this is something we can aggregate? I'm mostly tired of people saying the internet is http(s) only. Even had hotels in Japan do some really nasty things... - Jared
Swisscom Eurospot - found all through europe and ruinously expensive at like 25 euro a day, 9 euro an hour See http://www.mcabee.org/lists/nanog/Feb-07/msg00046.html for what goes on there .. dns proxying, and broken at that. On Tue, Dec 8, 2009 at 6:08 AM, Jared Mauch <jared@puck.nether.net> wrote:
On Dec 7, 2009, at 7:23 PM, Brielle Bruns wrote:
I'm noticing alot of these places are doing things which work perfectly with Windows, but not Mac, Linux, etc. Drives me bonkers, and we make sure to let management know we won't stay at their hotel in the future because of said issues.
I'd prefer to not create a blacklist of hotels that have ghetto internet access, but perhaps this is something we can aggregate?
I'm mostly tired of people saying the internet is http(s) only. Even had hotels in Japan do some really nasty things...
- Jared
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Disclaimer: /I work for a company that provides these services./ IMHO there is no need for any sort of DNS redirection after user authentication has taken place. We of course redirect UDP/TCP 53 to one of our servers along with 80 (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any authentication has occurred, but once this is completed the only reason any guest would use the local DNS server is if they were assigned a DHCP address. As far as our Routerboard/Mikrotik setup works, it'll masquerade for any non standard IP addresses that appear on the network (guests with static ip's assigned, corporate laptops etc) but once again after the authentication stage anything is allowed to pass unhindered. The only redirection that is used after authentication is for port 25 as 90% of user trying to send mail out via port 25 have no idea how to change their mail server, let alone why they might need to. It can be an issue as some systems use authentication on port 25. I would be interested to hear what people have to say about this, as the only other option I could think of would involve checking the incoming connection to see if the end user was trying to authenticate to a mail server before determining where to forward the connection onto (Layer 7 stuff, gets a bit tricky) Regards, Andrew Cox AccessPlus Head Network Administrator Jared Mauch wrote:
On Dec 7, 2009, at 5:29 PM, John Levine wrote:
Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities".
I do hear of ISPs blocking requests to random offsite DNS servers. For most consumer PCs, that's more likely to be a zombie doing DNS hijacking than anything legitimate. If they happen also to block 8.8.8.8 that's just an incidental side benefit.
I've found more and more hotel/edge networks blocking/capturing this traffic.
The biggest problem is they tend to break things horribly and fail things like the oarc entropy test.
They will often also return REFUSED (randomly) to valid well formed DNS queries.
While I support the capturing of malware compromised machines until they are repaired, I do think more intelligence needs to be applied when directing these systems.
Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80, TCP/443.
The University of Michigan Hospitals have a guestnet wireless that is ghetto and blocks IMAP over SSL. Attempts to get them to correct this have fallen on deaf ears. I can't even VPN out to work around the sillyness, which typically works in other hotel/guestnet scenarios.
Providers to avoid: US Signal Corporation. (64.141.138.226 was my natted IP in a Hampton Inn depsite whois/swip).
- Jared
You could just firewall off port 25 and leave 587 open - to save yourself from a bunch of viruses and such. A lot of people will use webmail anyway - from a hotel. And you avoid getting blacklisted The other option is to install a device that examines email flows and allows only stuff it doesnt think is spammy (netflow for email kind of, with all the bayesian etc secret sauce). Two devices come to mind * Symantec E160 (used to be called turntide, and before that, back in 2002-03, spam squelcher) * Mailchannels (www.mailchannels.com) There's probably a few more that do this and are totally transparent. On Tue, Dec 8, 2009 at 6:54 AM, Andrew Cox <andrew@accessplus.com.au> wrote:
I would be interested to hear what people have to say about this, as the only other option I could think of would involve checking the incoming connection to see if the end user was trying to authenticate to a mail server before determining where to forward the connection onto (Layer 7 stuff, gets a bit tricky)
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote:
You could just firewall off port 25 and leave 587 open - to save yourself from a bunch of viruses and such. A lot of people will use webmail anyway - from a hotel. And you avoid getting blacklisted
The problem with doing that is that users don't understand it. All they know is that "it doesn't work here and it does at home". We currently redirect to a couple of dedicated mail relays that will accept any email where: a) the source address = the email address the put on their signup and b) is not detected as spam Alternatively there's a throttling table and spam filter on everything else that comes through.
The other option is to install a device that examines email flows and allows only stuff it doesnt think is spammy (netflow for email kind of, with all the bayesian etc secret sauce). Two devices come to mind
* Symantec E160 (used to be called turntide, and before that, back in 2002-03, spam squelcher) * Mailchannels (www.mailchannels.com)
There's probably a few more that do this and are totally transparent.
We can also just force the box to accept any unsecured auth-attempts however the SMTPS over port 25 is still a problem. Don't see how any system could examine that mail without causing certificate errors. Allowing it to pass to the original server based on the first packet being detected as a secure connection may be possible thou.
On Tue, Dec 8, 2009 at 6:54 AM, Andrew Cox <andrew@accessplus.com.au> wrote:
I would be interested to hear what people have to say about this, as the only other option I could think of would involve checking the incoming connection to see if the end user was trying to authenticate to a mail server before determining where to forward the connection onto (Layer 7 stuff, gets a bit tricky)
IMHO there is no need for any sort of DNS redirection after user authentication has taken place.
It may be hazardous even before user authentication has taken place. Even given a very low TTL, client resolvers may cache answers returned during that initial authentication.
We of course redirect UDP/TCP 53 to one of our servers along with 80 (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any authentication has occurred, but once this is completed the only reason any guest would use the local DNS server is if they were assigned a DHCP address.
Which, presumably, many/most of them are. Supplying a functional DNS server shouldn't be that difficult, but real world experience shows just how well some operators run these services.
As far as our Routerboard/Mikrotik setup works, it'll masquerade for any non standard IP addresses that appear on the network (guests with static ip's assigned, corporate laptops etc) but once again after the authentication stage anything is allowed to pass unhindered.
The only redirection that is used after authentication is for port 25 as 90% of user trying to send mail out via port 25 have no idea how to change their mail server, let alone why they might need to. It can be an issue as some systems use authentication on port 25.
Sounds like an opportunity for a custom proxy. Clients that can successfully authenticate to an external mailserver on 25 are probably by definition nonproblematic. The remainder probably deserve to get jammed through an aggressive spam, virus, and other-crap filter, with in-line notification of rejections. You can do some other sanity stuff like counting the number of hosts contacted by a client; anything in excess of a small number would seem to be a good indicator to stop. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
In message <200912080332.nB83WKSo037049@aurora.sol.net>, Joe Greco writes:
IMHO there is no need for any sort of DNS redirection after user authentication has taken place.
It may be hazardous even before user authentication has taken place. Even given a very low TTL, client resolvers may cache answers returned during that initial authentication.
We of course redirect UDP/TCP 53 to one of our servers along with 80 (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any authentication has occurred, but once this is completed the only reason any guest would use the local DNS server is if they were assigned a DHCP address.
Which, presumably, many/most of them are. Supplying a functional DNS server shouldn't be that difficult, but real world experience shows just how well some operators run these services.
As far as our Routerboard/Mikrotik setup works, it'll masquerade for any non standard IP addresses that appear on the network (guests with static ip's assigned, corporate laptops etc) but once again after the authentication stage anything is allowed to pass unhindered.
The only redirection that is used after authentication is for port 25 as 90% of user trying to send mail out via port 25 have no idea how to change their mail server, let alone why they might need to. It can be an issue as some systems use authentication on port 25.
Sounds like an opportunity for a custom proxy. Clients that can successfully authenticate to an external mailserver on 25 are probably by definition nonproblematic. The remainder probably deserve to get jammed through an aggressive spam, virus, and other-crap filter, with in-line notification of rejections. You can do some other sanity stuff like counting the number of hosts contacted by a client; anything in excess of a small number would seem to be a good indicator to stop.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN N) With 24 million small businesses in the US alone, that's way too many apples.
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned. No need to compromise the DNS or intercept http. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned.
Unfortunately, that's not how DHCP works. If you send the client a DHCP option which the client has not requested, you have no idea if the client will use (or for that matter even *understand*) the option. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
In message <20091208.101453.74674743.sthaug@nethelp.no>, sthaug@nethelp.no writes:
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned.
Unfortunately, that's not how DHCP works. If you send the client a DHCP option which the client has not requested, you have no idea if the client will use (or for that matter even *understand*) the option.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
It can still parse and skip it from the the DHCP response as every option contains its own length. Initially clients will ignore it but over time it will be supported on the client side. This is a much better way than intercepting DNS queries and returning respones that will just be ignored by validating and iterative resolvers. Something like http://1.2.3.4/terms.html or http://[2001::1]/terms.html doesn't require that everthing be intercepted. Just block until acceptance. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Sounds like a great idea in theory but would require OS support or a dual-hotspot setup that provided for both options until support was expected. Until such time it's simply unworkable. That and as mentioned in my previous post, the setup we have *just works* for users who don't have the permissions to change off of a static IP and use DHCP on their laptops. Andrew
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned.
No need to compromise the DNS or intercept http.
Mark
On Dec 8, 2009, at 1:18 AM, Andrew Cox wrote:
Sounds like a great idea in theory but would require OS support or a dual-hotspot setup that provided for both options until support was expected. Until such time it's simply unworkable.
That and as mentioned in my previous post, the setup we have *just works* for users who don't have the permissions to change off of a static IP and use DHCP on their laptops.
And it just breaks for those of us who actually expect "internet access" to mean access to the internet, not just the web. I make a habbit of calling support and pushing the issue hard through multiple layers until I finally get a management denial, then, demand refunds of my connectivity charges every time I encounter this at a hotel. I figure that the reason you guys deploy what "just works" as you put it is because it lowers your support costs, so, I do what I can to increase the support costs of delivering a broken internet. I encourage others to do the same. Owen
Andrew
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned.
No need to compromise the DNS or intercept http.
Mark
Owen DeLong wrote:
On Dec 8, 2009, at 1:18 AM, Andrew Cox wrote:
Sounds like a great idea in theory but would require OS support or a dual-hotspot setup that provided for both options until support was expected. Until such time it's simply unworkable.
That and as mentioned in my previous post, the setup we have *just works* for users who don't have the permissions to change off of a static IP and use DHCP on their laptops.
And it just breaks for those of us who actually expect "internet access" to mean access to the internet, not just the web.
I never said that the *just works* method stopped users from being able to use the internet. In fact catching users with bad IP address settings works just as well as sending them a DHCP address.
I make a habbit of calling support and pushing the issue hard through multiple layers until I finally get a management denial, then, demand refunds of my connectivity charges every time I encounter this at a hotel.
I figure that the reason you guys deploy what "just works" as you put it is because it lowers your support costs, so, I do what I can to increase the support costs of delivering a broken internet.
We're in no way in the business of providing half-baked services and likewise, I call up support for other providers if I end up with just web access.
I encourage others to do the same.
Owen
On Dec 8, 2009, at 7:25 AM, Andrew Cox wrote:
Owen DeLong wrote:
On Dec 8, 2009, at 1:18 AM, Andrew Cox wrote:
Sounds like a great idea in theory but would require OS support or a dual-hotspot setup that provided for both options until support was expected. Until such time it's simply unworkable.
That and as mentioned in my previous post, the setup we have *just works* for users who don't have the permissions to change off of a static IP and use DHCP on their laptops.
And it just breaks for those of us who actually expect "internet access" to mean access to the internet, not just the web.
I never said that the *just works* method stopped users from being able to use the internet. In fact catching users with bad IP address settings works just as well as sending them a DHCP address.
I expect my connections to my mail server to actually reach my mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just works" settings in question break these things badly. Stop doing man in the middle attacks on my mail, or, expect me to be a support headache. It's just that simple.
I make a habbit of calling support and pushing the issue hard through multiple layers until I finally get a management denial, then, demand refunds of my connectivity charges every time I encounter this at a hotel.
I figure that the reason you guys deploy what "just works" as you put it is because it lowers your support costs, so, I do what I can to increase the support costs of delivering a broken internet.
We're in no way in the business of providing half-baked services and likewise, I call up support for other providers if I end up with just web access.
Good... As long as you're not MITM my stuff, then, I won't be calling your support people. Perhaps I misunderstood your explanation of what you do to port 25 traffic that "just works". Owen
I encourage others to do the same.
Owen
Owen DeLong <owen@delong.com> writes:
I expect my connections to my mail server to actually reach my mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just works" settings in question break these things badly.
One of my customers has an appliance for his WLAN guest access access which filters out AAAA records. :-( jens@bowmore:~$ dig AAAA www.quux.de @8.8.8.8 +short jens@bowmore:~$ Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink@guug.de | -------------------------------------------------------------------------
On Dec 9, 2009, at 1:26 AM, Jens Link wrote:
Owen DeLong <owen@delong.com> writes:
I expect my connections to my mail server to actually reach my mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just works" settings in question break these things badly.
One of my customers has an appliance for his WLAN guest access access which filters out AAAA records. :-(
jens@bowmore:~$ dig AAAA www.quux.de @8.8.8.8 +short jens@bowmore:~$
Wow... Yeah, that would definitely result in a lengthy conversation between their tech. support department and me. The ones that are even worse, though, are the ones that pass through AAAA and do RA/SLAAC advertisements, but, don't provide IPv6 connectivity. Oh, and, I stayed at one place that didn't pass TCP/53, so, they broke things like Blizzard authentication. Owen
On Wed, Dec 09, 2009 at 06:30:45AM -0800, Owen DeLong wrote:
On Dec 9, 2009, at 1:26 AM, Jens Link wrote:
Owen DeLong <owen@delong.com> writes:
I expect my connections to my mail server to actually reach my mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just works" settings in question break these things badly.
One of my customers has an appliance for his WLAN guest access access which filters out AAAA records. :-(
jens@bowmore:~$ dig AAAA www.quux.de @8.8.8.8 +short jens@bowmore:~$
Wow... Yeah, that would definitely result in a lengthy conversation between their tech. support department and me.
The ones that are even worse, though, are the ones that pass through AAAA and do RA/SLAAC advertisements, but, don't provide IPv6 connectivity.
Owen
why do you presume the DNS service is in the same path as the TLS/SSL? a loose reading of these posts might give the gullible the impression that the IP datagrams between the source and the target pass through the DNS server... which we -KNOW- is false. --bill
Jens Link wrote:
Owen DeLong <owen@delong.com> writes:
I expect my connections to my mail server to actually reach my mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just works" settings in question break these things badly.
One of my customers has an appliance for his WLAN guest access access which filters out AAAA records. :-(
jens@bowmore:~$ dig AAAA www.quux.de @8.8.8.8 +short jens@bowmore:~$
That, unfortunately, is not uncommon. Actually, it's one of the _less_ broken systems I've seen, since IPv4 presumably keeps working. One major vendor of hotel guestnet equipment returns an A record for 0.0.0.1 if you do an ANY or AAAA query for any hostname--even ones that don't exist. At least with WinXP, you have to disable IPv6 just to get IPv4 to work! Worse, their tech support sees nothing wrong with this; if you disagree, all they'll do is offer a refund. Unfortunately, "take your money elsewhere" doesn't work when you've already paid for the hotel room--and they know it. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Dec 9, 2009, at 10:41 AM, Stephen Sprunk wrote:
Jens Link wrote:
Owen DeLong <owen@delong.com> writes:
I expect my connections to my mail server to actually reach my mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just works" settings in question break these things badly.
One of my customers has an appliance for his WLAN guest access access which filters out AAAA records. :-(
jens@bowmore:~$ dig AAAA www.quux.de @8.8.8.8 +short jens@bowmore:~$
That, unfortunately, is not uncommon. Actually, it's one of the _less_ broken systems I've seen, since IPv4 presumably keeps working.
One major vendor of hotel guestnet equipment returns an A record for 0.0.0.1 if you do an ANY or AAAA query for any hostname--even ones that don't exist. At least with WinXP, you have to disable IPv6 just to get IPv4 to work! Worse, their tech support sees nothing wrong with this; if you disagree, all they'll do is offer a refund. Unfortunately, "take your money elsewhere" doesn't work when you've already paid for the hotel room--and they know it.
I've actually extracted significant rebates from Hotels where their internet was provably broken, and, their third-party provider would not resolve the issue. More than just a refund of the IP fees. In one case, 1/2 the cost of my multi-night stay. Owen
In message <200912080332.nB83WKSo037049@aurora.sol.net>, Joe Greco writes:
IMHO there is no need for any sort of DNS redirection after user authentication has taken place.
It may be hazardous even before user authentication has taken place. Even given a very low TTL, client resolvers may cache answers returned during that initial authentication.
We of course redirect UDP/TCP 53 to one of our servers along with 80 (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any authentication has occurred, but once this is completed the only reason any guest would use the local DNS server is if they were assigned a DHCP address.
Which, presumably, many/most of them are. Supplying a functional DNS server shouldn't be that difficult, but real world experience shows just how well some operators run these services.
As far as our Routerboard/Mikrotik setup works, it'll masquerade for any non standard IP addresses that appear on the network (guests with static ip's assigned, corporate laptops etc) but once again after the authentication stage anything is allowed to pass unhindered.
The only redirection that is used after authentication is for port 25 as 90% of user trying to send mail out via port 25 have no idea how to change their mail server, let alone why they might need to. It can be an issue as some systems use authentication on port 25.
Sounds like an opportunity for a custom proxy. Clients that can successfully authenticate to an external mailserver on 25 are probably by definition nonproblematic. The remainder probably deserve to get jammed through an aggressive spam, virus, and other-crap filter, with in-line notification of rejections. You can do some other sanity stuff like counting the number of hosts contacted by a client; anything in excess of a small number would seem to be a good indicator to stop.
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned.
No need to compromise the DNS or intercept http.
But that doesn't change the fact that there's a need; it's a part of the flawed design of the various components, because this problem wasn't envisioned and solved and now we have a mess. Even the hotspot vendors cannot agree on a unified way to do things; this means that each network you try to connect to will implement its own set of unique brokenness, ranging from requirements for a particular OS/browser, use of reserved/ allocated IP spaces for stupid reasons (hi, 1.1.1.1!), various DNS/HTTP attempts at redirection, blocking, etc. I know what you're saying, but seriously, haven't we just repeated all the same mistakes in IPv6? And of course it'd be a nightmare to cover all the edge cases, this is why nobody tries to figure it out, so in the end we end up with many really cruddy hatchet jobs. Why would "web browsers" have a hot-spot button? What if I want to just use ssh? And where's the web browser on my VoIP telephony adapter, etc? :-) It's gotta be difficult for the hotspot networks. Even at&t can't seem to make it all work right even when they control both sides; I've seen iPhones just hang when connecting to attwifi (and I can say I've seen it not work in some way maybe even more often than I've seen it actually work). At least the iPhone seems to have some built-in support for this sort of thing. (Anybody know anything more about that?) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Yeah the iPhone changes were a bit of a pain, we had to build a second iPhone specific version of our login page because the iPhone "auto-login" feature won't allow more than 1 page to be loaded. We would normally redirect users to the page they've originally requested after they click the login button as well as opening a status popup for them to logout and keep track of usage. Not on the iPhone thou, they're using a cut-down safari browser that won't allow more than 1 tab to load and worst of all, if you close off the page it simply disconnects from the wireless network. Andrew
It's gotta be difficult for the hotspot networks. Even at&t can't seem to make it all work right even when they control both sides; I've seen iPhones just hang when connecting to attwifi (and I can say I've seen it not work in some way maybe even more often than I've seen it actually work). At least the iPhone seems to have some built-in support for this sort of thing. (Anybody know anything more about that?)
... JG
In message <200912080939.nB89dIXn090157@aurora.sol.net>, Joe Greco writes:
In message <200912080332.nB83WKSo037049@aurora.sol.net>, Joe Greco writes:
IMHO there is no need for any sort of DNS redirection after user authentication has taken place.
It may be hazardous even before user authentication has taken place. Even given a very low TTL, client resolvers may cache answers returned during that initial authentication.
We of course redirect UDP/TCP 53 to one of our servers along with 80 (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any authentication has occurred, but once this is completed the only reason any guest would use the local DNS server is if they were assigned a DHCP address.
Which, presumably, many/most of them are. Supplying a functional DNS server shouldn't be that difficult, but real world experience shows just how well some operators run these services.
As far as our Routerboard/Mikrotik setup works, it'll masquerade for any non standard IP addresses that appear on the network (guests with static ip's assigned, corporate laptops etc) but once again after the authentication stage anything is allowed to pass unhindered.
The only redirection that is used after authentication is for port 25 as 90% of user trying to send mail out via port 25 have no idea how to change their mail server, let alone why they might need to. It can be an issue as some systems use authentication on port 25.
Sounds like an opportunity for a custom proxy. Clients that can successfully authenticate to an external mailserver on 25 are probably by definition nonproblematic. The remainder probably deserve to get jammed through an aggressive spam, virus, and other-crap filter, with in-line notification of rejections. You can do some other sanity stuff like counting the number of hosts contacted by a client; anything in excess of a small number would seem to be a good indicator to stop.
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned.
No need to compromise the DNS or intercept http.
But that doesn't change the fact that there's a need; it's a part of the flawed design of the various components, because this problem wasn't envisioned and solved and now we have a mess. Even the hotspot vendors cannot agree on a unified way to do things; this means that each network you try to connect to will implement its own set of unique brokenness, ranging from requirements for a particular OS/browser, use of reserved/ allocated IP spaces for stupid reasons (hi, 1.1.1.1!), various DNS/HTTP attempts at redirection, blocking, etc.
I know what you're saying, but seriously, haven't we just repeated all the same mistakes in IPv6? And of course it'd be a nightmare to cover all the edge cases, this is why nobody tries to figure it out, so in the end we end up with many really cruddy hatchet jobs.
Why would "web browsers" have a hot-spot button?
Because that would be a easy way to implement this sort of thing. You could have a command line tool or a seperate widget that that launched the browser.
What if I want to just use ssh?
You still need to authenticate. It's better if we can reduce the amount of collateral damage required to authenticate. The interception is being done today because there is no standard way to say "go here to authenticate" and the hotspot provider has to do a man in the middle attack to get you to the authentication page.
And where's the web browser on my VoIP telephony adapter, etc? :-)
Does you VoIP telephony adapter work today in hotspots that require authentication? It isn't that hard to build in a display. Having a DHCP option is better than the mess we have now. To go further requires agreement on how to present terms, pricing etc. in a standardised way.
It's gotta be difficult for the hotspot networks. Even at&t can't seem to make it all work right even when they control both sides; I've seen iPhones just hang when connecting to attwifi (and I can say I've seen it not work in some way maybe even more often than I've seen it actually work). At least the iPhone seems to have some built-in support for this sort of thing. (Anybody know anything more about that?)
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
In a message written on Wed, Dec 09, 2009 at 01:52:49AM +1100, Mark Andrews wrote:
What if I want to just use ssh?
You still need to authenticate. It's better if we can reduce the amount of collateral damage required to authenticate. The interception is being done today because there is no standard way to say "go here to authenticate" and the hotspot provider has to do a man in the middle attack to get you to the authentication page.
Most of the hotels I have used don't actually require authentication. They require a click through indemnification agreement. No username, no password, no room number, just a "click here to accept our terms and conditions". I would much prefer this be added to the check-in process. I already have to sign a contract with the hotel to check in, it should cover use of the WiFi as well. Then there is no need for a click through agreement. If there is need for authentication at that point (I am the one who signed the front desk agreement) then using 802.1x authentication would be the right answer. If I could do it with an OpenID, or other "public" account by providing the account name when I sign the paper at the front desk then I could have all of my devices always on, in a standard way, and never see these stupid pages. Imagine, you make a reservation online for a hotel, you use an ID which is the same as your e-mail so it auto-populates on the online form. When you check in you sign the T&C's, and your devices authenticate with 802.1x, which you just leave configured, since you're always using the same ID. No more MITM, all standards based. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Leo Bicknell wrote:
Most of the hotels I have used don't actually require authentication. They require a click through indemnification agreement. No username, no password, no room number, just a "click here to accept our terms and conditions".
I would much prefer this be added to the check-in process. I already have to sign a contract with the hotel to check in, it should cover use of the WiFi as well. Then there is no need for a click through agreement.
Yes there is; if they have wireless then the radio waves don't discriminate between guest and non-guest and could be picked up by someone who didn't sign the check-in paperwork. ~Seth
On 2009-12-08, at 14:52, Mark Andrews wrote:
Why would "web browsers" have a hot-spot button?
Because that would be a easy way to implement this sort of thing.
I once thought that PANA was the clean answer to this. Now the PANA effort has concluded, and documents have been published, but reading through them I can't tell whether PANA is in fact any kind of answer to this. RFC 4058 RFC 5191 It'd be nice if there was a hotspot authentication solution buried in there, somewhere. Joe Begin forwarded message:
From: IESG Secretary <iesg-secretary@ietf.org> Date: 4 December 2009 21:30:03 GMT To: ietf-announce@ietf.org Cc: pana@ietf.org, basavaraj.patil@nokia.com Subject: WG Action: Conclusion of Protocol for carrying Authentication for Network Access (pana) list-id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
The Protocol for carrying Authentication for Network Access (pana) working group in the Internet Area has concluded.
The IESG contact persons are Jari Arkko and Ralph Droms.
The mailing list will remain active.
This working group is closed after successfully completing its chartered work. The mailing list will be kept open for possible questions and discussions around PANA. In addition, several remaining documents about PANA extensions have been submitted for the individual submission process. The documents will progressed as soon as their necessary revisions become available.
The ADs would like to thank everyone who has been involved in the PANA specification work, the chairs, Mark Townsley who was the responsible AD when the PANA base documents were published, and various reviewers who helped greatly improve the PANA specifications. _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce
On Tue, 8 Dec 2009, Joe Abley wrote:
I once thought that PANA was the clean answer to this. Now the PANA effort has concluded, and documents have been published, but reading through them I can't tell whether PANA is in fact any kind of answer to this. It'd be nice if there was a hotspot authentication solution buried in there, somewhere.
I know nothing about PANA except that abstract to RFC 4058 says it's a generalized replacement for link-layer authentication protocols such as 802.1x. But 802.1x wifi authentication works today - see for example http://www.eduroam.org/ - though the setup effort is only worth it if you are going to be using the authenticated network(s) a lot. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
On Wed, 9 Dec 2009, Mark Andrews wrote:
Having a DHCP option is better than the mess we have now. To go further requires agreement on how to present terms, pricing etc. in a standardised way.
I hate to sound like a broken record, but PPPOE has had that option for a decade. Major operating system vendors would never implemented that PPPOE option. It wasn't an accidental ommission by one major vendor. In the mean time, i.e. for the last 10 years, hotspot/guestnets have come up with interesting kludges to work around the lack of support in major operating systems and applications. If you get something that works better and works for 90%+ of the potential market in less than 10 years, people will beat a path to your door. Some vendors have 802.1x clients which handle things farily well, in my opinion much better than another DHCP kludge (UDP protocol needing its own protection before causing your computer to run something); but anything requiring your customers to install special software seems to limit your potential market to a few percent.
I know what you're saying, but seriously, haven't we just repeated all the same mistakes in IPv6? And of course it'd be a nightmare to cover all the edge cases, this is why nobody tries to figure it out, so in the end we end up with many really cruddy hatchet jobs.
Not exactly.... With IPv6, RA/SLAAC is nearly instantaneous, unlike DHCP. This is both good and bad. For this purpose, it happens to be good... 1. Have your authentication server running on a host that will accept connections to _ANY_ address. 2. Have your router send RA/SLAAC for your authentication network to unauthenticated machines such that their default gateway is an address that lands them on the authentication server. 3. Once they're authenticated, send them real RA/SLAAC. 4. No need to hork DNS, and, the web page you faked at first can work just fine after they log in, even if they cached the DNS information because you gave them the legitimate address.
Why would "web browsers" have a hot-spot button? What if I want to just use ssh? And where's the web browser on my VoIP telephony adapter, etc? :-)
Almost all of these systems require you to call support to get a MAC authentication Exception if you don't have a web browser on your device. Most of them grant exceptions on a not to exceed 30 day basis, too.
It's gotta be difficult for the hotspot networks. Even at&t can't seem to make it all work right even when they control both sides; I've seen iPhones just hang when connecting to attwifi (and I can say I've seen it not work in some way maybe even more often than I've seen it actually work). At least the iPhone seems to have some built-in support for this sort of thing. (Anybody know anything more about that?)
Yep... Then there are the airports where there seems to be a spanning tree delay between getting associated with the hotspot and being able to get a DHCP address. (I've only encountered this behavior at a few US airports, never on a hotel network). Owen
Owen DeLong wrote:
Almost all of these systems require you to call support to get a MAC authentication Exception if you don't have a web browser on your device. Most of them grant exceptions on a not to exceed 30 day basis, too.
Alternatively it's possible to offer both web-based and pppoe authentication options from the same port. Allows users to connect xbox's, ps3's, VoIP phones, Wireless routers. All without the need for the web auth. For us, it's about giving the end user the choice and making the connection as seamless and simple as possible. If that means for some users there's magic going on in the background that they don't know or understand then so be it, that's just another part of the service we're providing.
On 12/07/2009 09:39 PM, Mark Andrews wrote:
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN N) With 24 million small businesses in the US alone, that's way too many apples.
This really should be a DHCP option which points to the authentification server using ip addresses. This should be return to clients even if they don't request it. Web browers could have a hot-spot button that retrieves this option then connects using the value returned.
No need to compromise the DNS or intercept http.
A DHCP option that ultimately charges my credit card? ::shudder:: Mike
On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
On Dec 7, 2009, at 5:29 PM, John Levine wrote:
Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities".
I do hear of ISPs blocking requests to random offsite DNS servers. For most consumer PCs, that's more likely to be a zombie doing DNS hijacking than anything legitimate. If they happen also to block 8.8.8.8 that's just an incidental side benefit.
I've found more and more hotel/edge networks blocking/capturing this traffic.
The biggest problem is they tend to break things horribly and fail things like the oarc entropy test.
They will often also return REFUSED (randomly) to valid well formed DNS queries.
While I support the capturing of malware compromised machines until they are repaired, I do think more intelligence needs to be applied when directing these systems.
Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80, TCP/443.
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need... --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote:
On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
On Dec 7, 2009, at 5:29 PM, John Levine wrote:
Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities".
I do hear of ISPs blocking requests to random offsite DNS servers. For most consumer PCs, that's more likely to be a zombie doing DNS hijacking than anything legitimate. If they happen also to block 8.8.8.8 that's just an incidental side benefit.
I've found more and more hotel/edge networks blocking/capturing this traffic.
The biggest problem is they tend to break things horribly and fail things like the oarc entropy test.
They will often also return REFUSED (randomly) to valid well formed DNS queries.
While I support the capturing of malware compromised machines until they are repaired, I do think more intelligence needs to be applied when directing these systems.
Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80, TCP/443.
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ me too, as well on on port 80
--Steve Bellovin, http://www.cs.columbia.edu/~smb
-- -=[L]=- Our core competencies are office moves and vocabulary.
On Dec 7, 2009, at 10:18 PM, Lou Katz wrote:
On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote:
On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
On Dec 7, 2009, at 5:29 PM, John Levine wrote:
Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities".
I do hear of ISPs blocking requests to random offsite DNS servers. For most consumer PCs, that's more likely to be a zombie doing DNS hijacking than anything legitimate. If they happen also to block 8.8.8.8 that's just an incidental side benefit.
I've found more and more hotel/edge networks blocking/capturing this traffic.
The biggest problem is they tend to break things horribly and fail things like the oarc entropy test.
They will often also return REFUSED (randomly) to valid well formed DNS queries.
While I support the capturing of malware compromised machines until they are repaired, I do think more intelligence needs to be applied when directing these systems.
Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80, TCP/443.
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
Also handy to set up an SSH tunnel. That works for almost everything else. J
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
Same here. It's the most reliable way to break out of a hotel jail. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly.
On Dec 7, 2009, at 10:35 PM, John R. Levine wrote:
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
Same here. It's the most reliable way to break out of a hotel jail.
Funny enough, I happen to be staying at a Marriott this week, where apparently I can't do ANYTHING on this network (my iChat client won't even connect!). Just so happens that I brought my Xbox360 this week and plugged it into the TV to get some Modern Warfare 2 on, and of course, THAT wasn't going to work on the network either right? Right. So, I broke out my Mifi (from Verizon). Connected my xbox360 to my mifi and played some Call of Duty. No lag. Okay, I feel better, done ranting against stayonline and guestnet. J
Juniper SSL VPN FTW! On Dec 7, 2009, at 9:48 PM, Steven Bellovin wrote:
On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
On Dec 7, 2009, at 5:29 PM, John Levine wrote:
Will be interesting to see if ISPs respond to a large scale thing like this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 (albeit for other reasons). Therein lies the problem with some of the "net neturality" arguments .. there's a big difference between "doing it because it causes a problem for others", and "doing it because it robs me of revenue opportunities".
I do hear of ISPs blocking requests to random offsite DNS servers. For most consumer PCs, that's more likely to be a zombie doing DNS hijacking than anything legitimate. If they happen also to block 8.8.8.8 that's just an incidental side benefit.
I've found more and more hotel/edge networks blocking/capturing this traffic.
The biggest problem is they tend to break things horribly and fail things like the oarc entropy test.
They will often also return REFUSED (randomly) to valid well formed DNS queries.
While I support the capturing of malware compromised machines until they are repaired, I do think more intelligence needs to be applied when directing these systems.
Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80, TCP/443.
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Steven Bellovin <smb@cs.columbia.edu> writes:
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
me too, more or less. but steve, if we were only trying to build digital infrastructure for people who know how to do that, then we'd all still be using Usenet over modems. we're trying to build digital infrastructure for all of humanity, and that means stuff like the above has to be unnecessary. -- Paul Vixie KI6YSY
On Dec 8, 2009, at 11:59 AM, Paul Vixie wrote:
Steven Bellovin <smb@cs.columbia.edu> writes:
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
me too, more or less. but steve, if we were only trying to build digital infrastructure for people who know how to do that, then we'd all still be using Usenet over modems. we're trying to build digital infrastructure for all of humanity, and that means stuff like the above has to be unnecessary. --
Right -- which means that we need a *good* solution. "Good" has to encompass not just technical cleanliness, but also operational reality, which includes things like slow software update rates -- both on clients and the hotel infrastructures -- the very wide variety of client platforms out there. The problems we're talking about, though, are both competence and policy. There's no intrinsic reason why hotels have to block some ports, especially given that many others do not. They've chosen to, for whatever misguided reason. (Aside: my local library blocks everything but 80 and 443 outbound. I complained to the director; he cited "security". I tried explaining that I knew something about Internet security; he told me that the firm that had installed the system had "done most of the libraries in the county". I translate that as "most of the libraries in the county have broken security policies".) And competence? Again, we've all seen many different ways certain things are done. I once had to boot into Windows to get a lease because NetBSD just wouldn't deal with the broken DNS packets necessary for the sign-up procedure. After that, I rebooted into NetBSD and configured a static address and route. --Steve Bellovin, http://www.cs.columbia.edu/~smb
(Aside: my local library blocks everything but 80 and 443 outbound. I complained to the director; he cited "security". I tried explaining that I knew something about Internet security; he told me that the firm that had installed the system had "done most of the libraries in the county". I translate that as "most of the libraries in the county have broken security policies".)
Among the many wonderful things Internet has created in the past 2+ decades, it gave birth to a countless number of "Internet Experts" ... Perhaps a more organized/focused discussion may help kick off an IETF WG to identify and document the problems/needs/requirements and an informational RFC/BCP can be produced, then the "experts" will know that for better security and reliability they don't need to mutilate internet protocols or dismember the Internet. My .02 Jorge
On 12/08/2009 01:21 PM, Jorge Amodio wrote:
(Aside: my local library blocks everything but 80 and 443 outbound. I complained to the director; he cited "security". I tried explaining that I knew something about Internet security; he told me that the firm that had installed the system had "done most of the libraries in the county". I translate that as "most of the libraries in the county have broken security policies".)
Among the many wonderful things Internet has created in the past 2+ decades, it gave birth to a countless number of "Internet Experts" ...
Perhaps a more organized/focused discussion may help kick off an IETF WG to identify and document the problems/needs/requirements and an informational RFC/BCP can be produced, then the "experts" will know that for better security and reliability they don't need to mutilate internet protocols or dismember the Internet.
I'm skeptical to the extreme that IETF can do anything particularly useful here. It's not like there's a lack of protocols -- AAA, tunneling, etc -- that could be bastardized to make some sort of client-side dohickey, or frob on the side something else instead of requiring html, styles sheets, and human eyeballs. Were there some sort of groundswell of such bastardized hacks, then maybe. Mike
Date: Tue, 8 Dec 2009 15:21:30 -0600 From: Jorge Amodio <jmamodio@gmail.com>
Among the many wonderful things Internet has created in the past 2+ decades, it gave birth to a countless number of "Internet Experts" ...
for example, some of us got a chance to witness the following. i've removed all identifying marks. (i was NOT the author NOR the offender, but the author does read this mailing list, and several of you will no doubt recognize the flaming style once you consider the time/date stamp.) ------- Forwarded Message To: ... Subject: Re: verbal brickbats Date: Sun, 02 Jun 96 23:37:40 PDT From: ... My guess is that most people just ignore you. Which might be a shame, because your point of view is different enough from the average member of the list that you are valuable here just by being different. I think of you as a pompous egomaniac nut case, but that's just my opinion; I have no Greek or Latin quotations to back it up and no 5-point treatise about how some part of scripture says you're a bad person. It's just what I believe, based entirely on what you've said here. In your world you're a fancy professor with power and authority. You're probably the intellectual terror of [your] postal code. Here in my world of cyberspace you're just an arrogant twit who knows Greek. If you want to spend your time making impassioned arguments to the people who already agree with you, then just keep doing what you're doing. If your goal is to change somebody's mind about one of the topics that you address, then you need to learn both some manners and some rhetorical technique. If you want to teach somebody, to expand somebody's understanding, to increase the number of people in the world who agree with you, then please listen to me, because here in cyberspace I'm the guy with the power and experience and authority and you're just an insect. ... Let me give you a few pointers on being taken more seriously. * First, you have the habit of making arguments from authority, rather than as an individual. Sometimes it is important to establish your authority in some area, in much the same way that an expert witness in a courtroom establishes his credibility and authority on the topic for which he is to testify. You may think of yourself as an authority on the matters that you are expounding on, but we don't yet. Your academic pedigree and your quotations from ancient languages are just bluster here on the Internet. The general principle here in cyberspace is that we participate as individuals and not as representatives of authoritative bodies. You can earn the right to wield the authority of some body on whose behalf you speak, but you don't walk in our door holding that authority just because you are B.A., M.A., Ph.D. and have a white beard. [...] If your goal in writing to the Internet is to change somebody's mind about some topic that you care about, then you really must learn to communicate in a very different style. * Second, you are constantly trying to impress us with how much better educated you are than we are. This might be related to the first item, above, since if you're going to be arguing from authority then you probably need to keep establishing that you have some authority. I think you'll find that this is a pretty highly educated crowd, but you don't catch us relying on our academic pedigrees instead of on our ability to communicate. I am quite certain that I have absolutely as many degrees as you do, and I am completely certain that I know many more obscure languages than you do, but if I can't win an argument with you based on what I say and how I say it, then my degrees are all just puffery, aren't they? But in establishing a precedent of authority and pedigree as the basis for power, you are treading on dangerous ground. Here in cyberspace you aren't in your world, you're in mine. If you make the mistake of trying to establish some ground rules in which argument by authority is the norm, then you'd better make sure that you don't ruffle the feathers of somebody who has more of it than you do. I can make the Internet do anything I want it to do. I can perform the digital equivalent of heaving lightning bolts in front of your chariot, and rending the earth beneath your mail reader. I can turn your hard disk into a toad. I'm a technocrat. But I won't, because we professionals don't act that way. I don't have to brandish my power and authority and education and knowledge of arcana in order to get people to listen to me. I try to make a crisp argument and let my words carry that argument. If I fail, then I don't go running for some Greek derivation or invoke some long-dead philosopher. Heck, I don't even go running for analogies from Clint Eastwood's "Unforgiven", which is every bit as fine a piece of literature as Aristophanes. * Third, you convey a complete disdain for your reader. Your writing style reeks of the belief that your time is so much more important than the time of your reader that you can't be bothered to write correctly or to edit what you write. If you'd like to have more readers, then it would be very worthwhile for you to be more respectful of them. Among other things, this means that you need to write in a way that makes it easier for your reader to read: use real sentences with real capital letters at the beginnings of them, and do try to spell as many words right as you can muster. So mind your manners, learn to communicate better, stop insulting your readers, and then come back and contribute your intellect to [this] mailing list. If you keep acting like a jerk I'm going to wake up some morning, yawn, make a cup of tea, and then vaporize your mailbox. Sometimes we supremely powerful technocrats just have a bad day. ------- End of Forwarded Message
On Tue, Dec 8, 2009 at 4:52 PM, Paul Vixie <vixie@isc.org> wrote:
Date: Tue, 8 Dec 2009 15:21:30 -0600 From: Jorge Amodio <jmamodio@gmail.com>
Among the many wonderful things Internet has created in the past 2+ decades, it gave birth to a countless number of "Internet Experts" ...
for example, some of us got a chance to witness the following. i've removed all identifying marks. (i was NOT the author NOR the offender, but the author does read this mailing list, and several of you will no doubt recognize the flaming style once you consider the time/date stamp.)
------- Forwarded Message
To: ... Subject: Re: verbal brickbats Date: Sun, 02 Jun 96 23:37:40 PDT From: ...
My guess is that most people just ignore you. Which might be a shame, because your point of view is different enough from the average member of the list that you are valuable here just by being different. I think of you as a pompous egomaniac nut case, but that's just my opinion; I have no Greek or Latin quotations to back it up and no 5-point treatise about how some part of scripture says you're a bad person. It's just what I believe, based entirely on what you've said here.
In your world you're a fancy professor with power and authority. You're probably the intellectual terror of [your] postal code. Here in my world of cyberspace you're just an arrogant twit who knows Greek. If you want to spend your time making impassioned arguments to the people who already agree with you, then just keep doing what you're doing. If your goal is to change somebody's mind about one of the topics that you address, then you need to learn both some manners and some rhetorical technique. If you want to teach somebody, to expand somebody's understanding, to increase the number of people in the world who agree with you, then please listen to me, because here in cyberspace I'm the guy with the power and experience and authority and you're just an insect. ...
Let me give you a few pointers on being taken more seriously.
* First, you have the habit of making arguments from authority, rather than as an individual. Sometimes it is important to establish your authority in some area, in much the same way that an expert witness in a courtroom establishes his credibility and authority on the topic for which he is to testify.
You may think of yourself as an authority on the matters that you are expounding on, but we don't yet. Your academic pedigree and your quotations from ancient languages are just bluster here on the Internet.
The general principle here in cyberspace is that we participate as individuals and not as representatives of authoritative bodies. You can earn the right to wield the authority of some body on whose behalf you speak, but you don't walk in our door holding that authority just because you are B.A., M.A., Ph.D. and have a white beard.
[...]
If your goal in writing to the Internet is to change somebody's mind about some topic that you care about, then you really must learn to communicate in a very different style.
* Second, you are constantly trying to impress us with how much better educated you are than we are. This might be related to the first item, above, since if you're going to be arguing from authority then you probably need to keep establishing that you have some authority. I think you'll find that this is a pretty highly educated crowd, but you don't catch us relying on our academic pedigrees instead of on our ability to communicate. I am quite certain that I have absolutely as many degrees as you do, and I am completely certain that I know many more obscure languages than you do, but if I can't win an argument with you based on what I say and how I say it, then my degrees are all just puffery, aren't they?
But in establishing a precedent of authority and pedigree as the basis for power, you are treading on dangerous ground. Here in cyberspace you aren't in your world, you're in mine. If you make the mistake of trying to establish some ground rules in which argument by authority is the norm, then you'd better make sure that you don't ruffle the feathers of somebody who has more of it than you do. I can make the Internet do anything I want it to do. I can perform the digital equivalent of heaving lightning bolts in front of your chariot, and rending the earth beneath your mail reader. I can turn your hard disk into a toad. I'm a technocrat. But I won't, because we professionals don't act that way. I don't have to brandish my power and authority and education and knowledge of arcana in order to get people to listen to me. I try to make a crisp argument and let my words carry that argument. If I fail, then I don't go running for some Greek derivation or invoke some long-dead philosopher. Heck, I don't even go running for analogies from Clint Eastwood's "Unforgiven", which is every bit as fine a piece of literature as Aristophanes.
* Third, you convey a complete disdain for your reader. Your writing style reeks of the belief that your time is so much more important than the time of your reader that you can't be bothered to write correctly or to edit what you write. If you'd like to have more readers, then it would be very worthwhile for you to be more respectful of them. Among other things, this means that you need to write in a way that makes it easier for your reader to read: use real sentences with real capital letters at the beginnings of them, and do try to spell as many words right as you can muster.
So mind your manners, learn to communicate better, stop insulting your readers, and then come back and contribute your intellect to [this] mailing list. If you keep acting like a jerk I'm going to wake up some morning, yawn, make a cup of tea, and then vaporize your mailbox. Sometimes we supremely powerful technocrats just have a bad day.
------- End of Forwarded Message
This is a great email, it belongs on countless blogs. Written back then, still relevant now. J -- Joel Esler | 302-223-5974 | gtalk: jesler@sourcefire.com
Did you assume that I was insulting Steve ? not at all, and apologies Steve if my comments were interpreted that way. When I said "Internet Experts" I was referring to the ones that setup the network on his county library. I agree 100% with Steve that we need a Good solution, both technical and operational, that's why I was suggesting that perhaps a IETF WG or whatever framework people believe may work could help identify the problem, requirements and line up potential solutions. BTW I already shaved my beard and it was not white ... ;-) Regards Jorge
All I can say to that is this: ?? ?? ???????? ????????? ?????, ???????? ??? ????? ??????· ? ??????????? ???? ?????? ?? ????? ?????? ?????. ;-) -- Leigh Porter UK Broadband -----Original Message----- From: Paul Vixie [mailto:vixie@isc.org] Sent: Tue 12/8/2009 9:52 PM To: nanog@merit.edu Subject: Re: Breaking the internet (hotels, guestnet style)
Date: Tue, 8 Dec 2009 15:21:30 -0600 From: Jorge Amodio <jmamodio@gmail.com>
Among the many wonderful things Internet has created in the past 2+ decades, it gave birth to a countless number of "Internet Experts" ...
for example, some of us got a chance to witness the following. i've removed all identifying marks. (i was NOT the author NOR the offender, but the author does read this mailing list, and several of you will no doubt recognize the flaming style once you consider the time/date stamp.) ------- Forwarded Message To: ... Subject: Re: verbal brickbats Date: Sun, 02 Jun 96 23:37:40 PDT From: ... My guess is that most people just ignore you. Which might be a shame, because your point of view is different enough from the average member of the list that you are valuable here just by being different. I think of you as a pompous egomaniac nut case, but that's just my opinion; I have no Greek or Latin quotations to back it up and no 5-point treatise about how some part of scripture says you're a bad person. It's just what I believe, based entirely on what you've said here.
Google has got a lot of data centers around the world, but the DNS servers are located in some of these. There is the list of data centers with DNS servers: USA, Atlanta USA, Reston,VA USA, Seattle USA, California Brazil, Sao Paulo Taiwan, Taipei City Germany, Frankfurt/Main Netherlands, Groningen Ireland, Dublin United Kingdom, London (anywhere else?) Here you can check ping distance to 8.8.8.8 from the servers all over the world: http://www.wipmania.com/ping/cache/8.8.8.8/?c=f4335d8443172 Regards, Alex 2009/12/3 Eduardo A. Suárez <esuarez@fcaglp.fcaglp.unlp.edu.ar>
Hi,
now Google DNS, anything more?
http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns...
Eduardo.-
participants (62)
-
Alex Aster
-
Andrew Cox
-
Andrew Euell
-
Andrey Gordon
-
Ben Carleton
-
bmanning@vacation.karoshi.com
-
Brandon Galbraith
-
Bret Clark
-
Brielle Bruns
-
Bruce Williams
-
Charles Wyble
-
Chris Hills
-
Christopher Morrow
-
Cord MacLeod
-
Curtis Maurand
-
Danny McPherson
-
Dave Plonka
-
Deepak Jain
-
Eduardo A. Suárez
-
Hank Nussbacher
-
Henry Linneweh
-
J. Oquendo
-
Jared Mauch
-
Jens Link
-
Jeroen Massar
-
Joe Abley
-
Joe Greco
-
Joel Esler
-
John Levine
-
John R. Levine
-
Jonathan Lassoff
-
Jorge Amodio
-
Joshua Smith
-
Ken Chase
-
Leigh Porter
-
Leo Bicknell
-
Lou Katz
-
Mark Andrews
-
Martin Hannigan
-
Matthew Petach
-
Michael Holstein
-
Michael Thomas
-
Owen DeLong
-
Patrick W. Gilmore
-
Paul Ferguson
-
Paul S. R. Chisholm
-
Paul Timmins
-
Paul Vixie
-
Peter Beckman
-
Richard Bennett
-
Scott Berkman
-
Sean Donelan
-
Seth Mattinen
-
Shane Ronan
-
Stefan
-
Stephen Sprunk
-
Steve Meuse
-
Steven Bellovin
-
sthaug@nethelp.no
-
Suresh Ramasubramanian
-
Tony Finch
-
Xavier Banchon