You are brave indeed to trust your packets over the air without a VPN or tunnel of some sort. While it sounds like Sprint is doing something, for lack of a better word, lame, you would be well advised to not trust your packets to the built-in cell encryption (obfuscation). - S -----Original Message----- From: Robert E. Seastrom <rs@seastrom.com> Sent: Thursday, May 14, 2009 10:50 To: nanog@nanog.org <nanog@nanog.org> Subject: another brick in the wall[ed garden] Dear Sprint EVDO people, Your man-in-the-middle hijacking of UDP/53 DNS queries against nameservers that I choose to query from my laptop on Sprint EVDO is not appreciated. Even less appreciated is your complete blocking of TCP/53 DNS queries. Queries from my lab: rs@click [14] % dig +short @192.148.252.10 version.bind. chaos txt "Just send your damn query already..." rs@click [15] % dig +tcp +short @192.148.252.10 version.bind. chaos txt "Just send your damn query already..." rs@click [16] % dig +tcp +short @192.148.252.10 hostname.bind. chaos txt "bifrost" rs@click [17] % Queries from my laptop: Superfly:~ rs$ dig +short @192.148.252.10 version.bind. chaos txt "9.6.0-P1" Superfly:~ rs$ dig +tcp +short @192.148.252.10 version.bind. chaos txt ;; connection timed out; no servers could be reached Superfly:~ rs$ dig +tcp +short @192.148.252.10 hostname.bind. chaos txt "ns1-kscymar06.spcsdns.net" Superfly:~ rs$ Guys, I send you money each month to deliver packets for me, not to invent new ways of being annoying (and breaking TSIG signed updates to dynamic DNS). Less is more. Please stop dinking with 10-minute-idle TCP sessions (which I complained about a year and a half ago) and knock it off with offering DNS service that I did not ask for. Sincerely, Your Disgruntled Customer, RS PS: No, I don't expect that this open letter will get you to fix the misbehavior, but if some Swedish guy comes along swinging a clue-bat at you guys I hope he whacks you a couple of times for me.
Well said, if you can't build it, don't trust it. Andrew (top posted as per previous convention) Skywing wrote:
You are brave indeed to trust your packets over the air without a VPN or tunnel of some sort.
While it sounds like Sprint is doing something, for lack of a better word, lame, you would be well advised to not trust your packets to the built-in cell encryption (obfuscation).
- S
-----Original Message----- From: Robert E. Seastrom <rs@seastrom.com> Sent: Thursday, May 14, 2009 10:50 To: nanog@nanog.org <nanog@nanog.org> Subject: another brick in the wall[ed garden]
Dear Sprint EVDO people,
Your man-in-the-middle hijacking of UDP/53 DNS queries against nameservers that I choose to query from my laptop on Sprint EVDO is not appreciated. Even less appreciated is your complete blocking of TCP/53 DNS queries.
Queries from my lab:
rs@click [14] % dig +short @192.148.252.10 version.bind. chaos txt "Just send your damn query already..." rs@click [15] % dig +tcp +short @192.148.252.10 version.bind. chaos txt "Just send your damn query already..." rs@click [16] % dig +tcp +short @192.148.252.10 hostname.bind. chaos txt "bifrost" rs@click [17] %
Queries from my laptop:
Superfly:~ rs$ dig +short @192.148.252.10 version.bind. chaos txt "9.6.0-P1" Superfly:~ rs$ dig +tcp +short @192.148.252.10 version.bind. chaos txt ;; connection timed out; no servers could be reached Superfly:~ rs$ dig +tcp +short @192.148.252.10 hostname.bind. chaos txt "ns1-kscymar06.spcsdns.net" Superfly:~ rs$
Guys, I send you money each month to deliver packets for me, not to invent new ways of being annoying (and breaking TSIG signed updates to dynamic DNS). Less is more. Please stop dinking with 10-minute-idle TCP sessions (which I complained about a year and a half ago) and knock it off with offering DNS service that I did not ask for.
Sincerely,
Your Disgruntled Customer, RS
PS: No, I don't expect that this open letter will get you to fix the misbehavior, but if some Swedish guy comes along swinging a clue-bat at you guys I hope he whacks you a couple of times for me.
Skywing <Skywing@valhallalegends.com> writes:
You are brave indeed to trust your packets over the air without a VPN or tunnel of some sort.
TSIG is like IPSEC's AH but for DNS. Being untrusting is how I managed to find out about these shenanigans in the first place. I don't care particularly about hiding the payload on a DNS query. -r
participants (3)
-
Andrew D Kirch -
Robert E. Seastrom -
Skywing