All good projects have ..

Re: All good projects have ..

Re: All good projects have ..

On 8/1/07, Chris Pugh <nissehud <at> googlemail.com> wrote:
> On 01/08/07, Chris Pugh <nissehud <at> googlemail.com> wrote:
> > .. a decent Logo!  Where is the one for OpenNIC?  Not that little mite top
> left of the page at,
> >
> >             http://www.opennic.unrated.net/
> >
> > surely?  if so, maybe it needs a lift?  Accordingly ..

Agreed.  Honestly, it looks like something I'd see on a gay rights site.

> > .. for the artistically gifted out there ( and this in no way applies to
> yours
> >
> > truly ), how about holding a Logo competition?
> >
> >
> > Chris.
>
> PS The winner could be decided by a poll conducted on Scoop! ;)

Nifty idear.
######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################

SpamBots revisited

I started looking into the spambot problem again yesterday.  Anyone running a tier2 server should be
concerned about this issue, as they will suck your bandwidth dry if you let them.  I wrote up a php script
which will look through the daily log for query attempts, and creates a database with all IP addresses
found, and how many queries they made for the day.  The worst offender -- 477,510 queries made in a 24-hour
period.  That's an average of 5.5 queries per second, sustained through the whole day!

The data is date-stamped so I can get an average over a period of time, or possibly even look for trends. 
Initially what I want to do is create a blocklist of the heavy-hitting bots, which can be shared for
creating ACL lists for everyone's DNS server.  This could be updated daily, and I can create different
lists based on certain cutoff values.  For instance, just the numbers from yesterday's log:

>0     = 879 IP's
>10    = 530
>100   = 289 
>1000  = 79 
>10000 = 18 

Now a note about my data -- I use an auto-whitelist on my tier2 server.  If you request an opennic domain
lookup, you get whitelisted.  Those who have NEVER requested an opennic domain show in my log as denied
queries.  Now a human is not likely to keep trying to perform a lookup after the first few failed attempt, so
blacklisting any entry with more than 100 requests should be a safe bet.  I would probably even go lower, but
the preferred threshold should be left up to the individual server admin.

One other item for consideration -- Keep in mind that these hits are being generated by SPAMbots.  Every time
they do a lookup, they're trying to send out another spam.  This data may prove useful for email blacklists
as well.  I'll certainly be looking into it...

Anyway, that's where I'm at right now.  I'll be getting the data collection automated today, and start
writing a script to generate the blocklists.  I can make up raw text lists with just the IP's, and I can make up
an ACL in bind9 format.  If there are any other requests, I just need a sample of how your list would be
formatted.  If anyone else wants to put forth their theories on how we can use this data, or what it
represents, I would certainly be interested.

######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################

Re: SpamBots revisited

Great work, shdwdrgn !!

It might work out to add those IPs to a DNSBL zone for easy distribution; 
in such a way that users could easily extract the IPs for use in Bind ACLs 
and ipfilters. I'd also watch for them during smtpd.

I'll be on vacation and offline for most of next and all of the following 
week; and will look forward to catching up with you.

avo
---

######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################

Re: Nameserver Audit

On Sun, 29 Jul 2007, brian <at> pongonova.net wrote:

> It's obvious there is a real need for immediately implementing an
> updated opennic.glue root zone for all existing Tier 1 servers.

Available from ns20 at 66.150.224.233
together with a refreshed aggregate root

both are slaved by ns2, ns21, and ns22
which provide termination for 5 healthy, current, and actively maintained 
tier-2 hosts. Thank you all!!

Cheers,
avo
---

######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################

Re: PROJECT: Redundancy of DNS Servers

On Wed, 16 May 2007, not so long ago by OpenNIC standards :), Jeff Taylor 
wrote:

> My opinion on this would be to find a way to eliminate tier-0 altogether.  I 
> believe all of the tier-1 servers should maintain active copies of the 
> tld-root file info, with the maintainers of any of these servers able to 
> update the information and redistribute it.

We're starting to put this to test right now.
On the radar is a new [redundantly distributed?] SVN repository for the 
tier-0 operation, monitoring configurations, many other useful scripts and 
files.

> Ideally, what I have in mind would be setting all of the tier-1 servers as 
> master for the zone file

This is what we've done with .free so I have experience with this. I do 
not recommend it for the aggregate root or glue zones however; and have 
another suggestion, presented earlier, to *enable* some number of tier-1 
hosts to provide tier-0 operations "on a moment's notice". Other tier-1s 
would have to make one change to their configs in order to "keep up". 
There is no anticipation that this change would happen with any immediacy 
or frequency at all; any  more than there is of a fire on a ship at sea 
which still has fire drills at least monthly.

We don't want to accomodate unstable or unreliable hosts for this service. 
We should very much require proven stable reliable hosts with responsive 
admins for tier-0, all tier-1, and the published tier-2. Reference can be 
made to the nagios reporting currently linked from the Auditing Working 
Group page on the wiki.

> so that the TLD maintainers can update the file as needed

The aggregate root does not require or beneift from being collectively 
maintained. The glue zone gets updated for the addition, removal, or 
editing of hosts, be they wiki, blog, tier-1, monitor, proxy, ... but 
nothing which causes pain if not distributed in 24 hrs. These zones 
[should] have nice long TTLs and refresh intervals.

> and it would be automatically redistributed whenever there is a 
> change.

All slave zones receive immediate NOTIFY.

> Each of the tier-2 servers would be configured as slaves to receive 
> the updated files

At *this* point, and still evolving with the collective collaboration of 
you and others, the Hostmastering Working Group (which I coordinate 
actively) is looking at both:

 	1) tier-2 hosts being able to connect without any public listing
 	or configuration changes "up-tier". (Certainly ISPs don't
 	'register' (as slaves) with IANA root servers.)
and,
 	2) a set of tier-2 hosts which are advertised and monitored. I
 	even started thinking of breaking off a dns.opennic.glue zone
 	which could be queried for NS records which would return both
 	hostnames and IPs of these public servers.

Before charging too far down any one path of maintaining the essential 
zones, I'm calling for a serious consideration of all the security issues 
which we should responsibly address.

> end-users could pull a copy of the most recent file directly from the 
> tier-2 servers.

Tier-2 servers are welcome to xfer the root, which is the only zone 
they're required to serve anyway. Though, if you wanted a root zone, would 
you get it from "just anywhere" when you could, and should, get it from as 
close to the master as possible?

> Unfortunately I don't know if that would work in reality.

When you want to work with it, any of the hosts listed for dns.free can 
add you to that same list. Don't overlook the security implications of 
*that*. Those hosts, btw, *should* all be restricting xfers-in to 
DNSSEC/TSIG authentication, which would have to be set up for you.

The other "feature" of this architecture, consequent of the configuration 
requirement which you did anticipate of configuring each host as 'slave' 
for the zone (everybody configuring as 'master' doesn't work), is
 	* need a full restart of the server to distribute your changes;
 	* needs [some] existing hosts to reconfigure their systems to
 	require key authentication with you; add you to their also-notify
 	list. (the list grows by "sponsored" "trust", which will
 	contribute positively to the scalability of this design.)

As pretty a picture as that presents for some interests, it fully enables, 
even encourages, branching and splintering and woefully unsynchronized 
zones, a consequence quite contrary to the OpenNIC objectives.

Thanks for your considerations,
avo
---

######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################

un-expected downtime

Hi All,

I would like to express my apologies for the downtime of the wiki service.

Workmen who were doing telephone work cut the wrong line and brought 
down the internet for some time.

Again I would like to say sorry to everyone for this un-expected downtime.

All is back online now. :)

Kind regards,

Julian De Marchi
######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################

test ignore me please

######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################

Tier 2 Server

Hello, I've just joined into OpenNIC and thought I'd introduce myself.
I'm about to enter into my second year of university in England
studying Civil Engineering. Yes, that has almost nothing to do with
DNS, but I like the idea of OpenNIC and some cool TLDs. To show my
support, I've setup a Teir 2 server on my box in Sweden. It's a dual
xeon at 2.4ghz on a 10mbit downstream and 1mbit upstream. The IP is
90.227.129.150 and it should resolve any OpenNIC, ICANN, or country
domain.

Hopefully I've got everything setup correctly,
Guru3
######################################################################
This is the discussion list for the Open Network Information
Center.  You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo <at> opennic.glue" or "majordomo <at> opennic.unrated.net".
######################################################################