I learned something about DNS this weekend. For some reason I was labouring under the impression that your machine, not the DNS servers dig the recursive lookup for you. What I mean by this is that I thought a DNS lookup went something like this:

1. Request for lookup of 'domain.com'.
2. Request sent to configured DNS server (non-authoritative for 'domain.com').
3. Response received including details of nameserver (NS) authoritative for 'domain.com'.
4. Request sent to 'domain.com' NS for lookup of 'domain.com'
5. Authoritative response received

That is sort of how it works, I just had the agent initiating the subsequent requests mixed up. This belief was fine back in the day when most DNS servers were running open, caching, recursive DNS servers. Now-a-days that is bad, so just sticking my nearest DNS server into /etc/resolv.conf was only resolving addresses it was authoritative for.

After struggling for a few hours to solve this, I phoned Russell, because he knows this stuff. He pointed out that it is the DNS servers that do the recursion not your machine. So, you have to point your machine at a recursive DNS server that will talk to your IP. Being a smart guy, he happened to know one I could use, off-by-heart. FREAK!

I put this here in the hopes that the next geek who googles for it won't waste as much time as I did. I thought as a moderately capable geek I would just know stuff like this, it's always interesting to see where the holes in your knowledge are.

Bwahahaha.

I find it hard to swallow that a vendor like Aladdin can write a filesystem driver that filters USB requests to encrypt data on the fly using documented interfaces, that a vendor like CA can write a driver that filters all incoming TCP connections using documented interfaces, and that a vendor like PointSec can write a driver to intercept filesystem calls using documented interfaces; but somehow McAfee can't get it together to grep the filesystem for malware without "going commando" all over Windows Vista in a way that requires them to rewrite the kernel. WTF?!

Courtesy: Security Curve.

I have put together a list of exploit archives here. Does anyone have some good ones I am missing? I also have exploit planet and my bloglines exploit subscriptions pointing at a few of the goodies.

HA! A company has been registered with the name "' Or 1 Equals 1 Dash Dash". The membership is open and functions as a collective i.e. you are a member just by saying you are. This legally entitles you to fill out that your company as ' or 1=1-- on any forms. As it is an entity protected by US law (it is registered in California), nobody can accuse you of illicit activities for using your organisation's name, even if it offers up admin privileges on their web application.

Nice idea Haroon, nice work Tim (Thor).

Ha! the use of ' or 1=1-- in my title messes with my HTML comments.

Mark Shavlik, CEO of Shavlik Technologies kindly linked to my thesis. He then went one step further and answered some of the claims I made in my thesis about a paper they released entitled Security Patch Management: Breaking New Ground. I have previously, in my darker thesis-writing days, written some not-very-nice comments about that paper in an entry entitled Shavlik and the mound of FUD.

Mark had his head screwed on right in the first place when he called the debate a "red herring", and his response shows it. Ironically, it seems it was an attempt to counter FUD from agent-only distributors. It's just a pity common sense has marketing departments to contend with.

After work such as Do Enterprise Management Systems Dream Of Electric Sheep?, and the 'everything-as-an-agent' syndrome security products seem to be going through, I think there is stronger ground to advocate against an agent-only based solution, coupled with the obvious need to be able to push patches to machines which haven't gone through a gating process.

Thanks for the response Mark. CEO blogging++