DNS: Fwd: DNS servers with UDP checksums disabled: a survey

DNS: Fwd: DNS servers with UDP checksums disabled: a survey

From: Glen Turner <glen.turner§itd.adelaide.edu.au>
Date: Thu, 27 Feb 1997 12:57:54 +1030
Although this list is often used to discuss net politics,
the following message is of operational relevance.

A campaign against DNS servers running without UDP checksums
(a very poor practice with potentially catastrophic results)
has been conducted in the newsgroup comp.protocols.tcp-ip.domains
for some time.

Attached is the latest list of misconfigured machines: 88
in .au alone (I have attached the .au list -- people who
have domains in .com or .net will have to check the list


glen.turner&#167;itd.adelaide.edu.au     Network Support Specialist
Tel: (08) 8303 3936            Information Technology Division
Fax: (08) 8303 4400             University of Adelaide SA 5005
---. -.- ..... --. -.. --  http://www.adelaide.edu.au/~gturner
There are two major products that came out of Berkeley:
LSD and UNIX.  This is no coincidence.

Subject: DNS servers with UDP checksums disabled: a survey
Date: 18 Feb 1997 03:58:10 GMT
From: fitz&#167;think.com (Tom Fitzgerald)
Organization: Thinking Machines Corporation
Newsgroups: comp.protocols.tcp-ip.domains,comp.protocols.tcp-ip,comp.system.sun.admin

I've done a survey of nameservers running on the net with UDP
checksums disabled.  Out of 62729 nameservers probed, 2588 of them
(4%) have checksums off.  Another 1304 nameservers weren't probed but
were also detected for one reason or another, meaning 3892
misconfigured nameservers, authoritative for over 73600 domains.

The list is 140KB, too large to post, but I've put a copy of it in
for anyone who wants to look at it.

Please, check this list for any systems in your domain or in your
parent or any child domains, secondaries serving your domain or
nameservers at your ISP.  If you find any, please do what you can to
fix them, or complain to the admin or your ISP.  These machines are
disasters waiting to happen, for reasons described below.

Of particular note are the following machines:

    o   17 psi.com/psi.net machines, responsible for over 10000
        domains including nsf.gov and whitehouse.gov :-).  This is
        up from 13 misconfigured machines detected last June.
    o   rs0.internic.net, authoritative for 146 domains including
        *.ca, *.es, *.kr and *.us
    o   rs1.internic.net and rs2.internic.net, though they appear to
        be caching-only.
    o   ns1.earthlink.net, authoritative for 5621 domains.
    o   nic.fonorola.net, 3744 domains
    o   noc.cerf.net, 3350 domains including 4.in-addr.arpa
    o   23 netcom.com machines, down from 44 as of last June, but
        still responsible for over 1000 domains.
    o   whitehouse.gov, authority for 240.137.198.in-addr.arpa.
    o   bondy.bondy.orstom.fr and orstom.rio.net, responsible for *.bf,
        *.ci, *.mg, *.ml, *.mr, *.nc and *.sn
    o   princeton.edu, responsible for *.bi, *.cg, *.ch, *.fr, *.gf,
        *.rw and *.zr.
    o   ns1.cs.ucl.ac.uk and sun.mhs-relay.ac.uk, responsible for *.uk

Nameservers that have UDP checksums disabled can cause corrupted DNS
data to be accepted by other nameservers, and propagated around the
net for days or weeks, to the suffering of everyone involved.  The
problem can easily cause your entire domain to seem to be unreachable
for mail or WWW access, for days, even though your connection is fine.
Once or twice a year this causes corrupted root domain data, which
makes the damage orders of magnitude worse.

Most of these are almost certainly SunOS 4.1.x systems, which have
checksums disabled by default.  Checksums can be enabled on these
systems with this command:

adb -w -k /vmunix /dev/mem << EOF

This enables checksums both in the currently running kernel and in the
vmunix disk image, so it will still be enabled at the next reboot.
This fix will NOT survive a kernel rebuild.  It must be reapplied
every time you install a new /vmunix.  For details see Rob Montjoy's
SunOS FAQ, posted to comp.sys.sun.admin, or available at

This has to be emphasized: if you run a nameserver that's authoritative
for any domains at all, it is essential that you enable UDP checksums
on it so systems that query you won't accept corrupt responses.

If there are non-SunOS systems in this list, I'd like to hear about
it, as well as how to enable UDP checksums on such systems if you have
any info on this.  I'm currently building a list of SOA contact
addresses for the 73600 affected domains in preparation for sending
warnings out.  I'd really like to include fix information for all
potentially-relevant systems.

A lot of the motivation and workings of this list come from W. Richard
Stevens <rstevens&#167;noao.edu> and Steinar Haug <sthaug&#167;nethelp.no>, both of
whom have published lists like this in the past.

Tom Fitzgerald   Thinking Machines Corp, Bedford MA, USA   A3FC3545C031E735
fitz&#167;think.com   (617)276-0400 x4848                       3DE72FB31F6028D1

adam.ist.flinders.edu.au	96.129.in-addr.arpa
aegir.adl.dmt.csiro.au		238.83.192.in-addr.arpa
amarina.ho.bom.gov.au		178.134.in-addr.arpa
artemis.cbr.dwe.csiro.au	[3 domains]
asgard.mlb.dmt.csiro.au		116.130.in-addr.arpa 238.83.192.in-addr.arpa
aviation1.ho.bom.gov.au		????
baldrick.ocs.mq.edu.au		111.137.in-addr.arpa
barium.agso.gov.au		[10 domains]
belgium.syd.its.csiro.au	176.122.192.in-addr.arpa
bilby.cs.uwa.oz.au		????
bizo.biz.usyd.edu.au		????
boffin.auslig.gov.au		174.143.in-addr.arpa
booran.ho.bom.gov.au		????
budapest.ozonline.com.au	[6 domains]
citadel.cit.gu.edu.au		bibliocity.com
citecuh.citec.qld.gov.au	242.131.in-addr.arpa
cnetns.tcp.csiro.au		118.146.in-addr.arpa 212.231.192.in-addr.arpa
crux.rp.csiro.au		[5 domains]
curly.cc.swin.edu.au		186.136.in-addr.arpa
dainfo.dadirect.com.au		????
dance.tap.csiro.au		197.207.192.in-addr.arpa
dcetsun.syd.dcet.csiro.au	219.55.192.in-addr.arpa
dmsmelb.mel.dms.csiro.au	194.138.in-addr.arpa
elk.vut.edu.au			159.140.in-addr.arpa mouth.com pfi.net
enterprise.powerup.com.au	[5 domains]
epa.vic.gov.au			????
exicom.gw.au			????
falcon.abare.gov.au		188.143.in-addr.arpa
feenix.slnsw.gov.au		????
flood.ml.csiro.au		12.67.192.in-addr.arpa
fpo.telstra.com.au		????
galileo.powerup.com.au		[5 domains]
halon-ext.woodside.com.au	89.158.in-addr.arpa
hedgehog.highway1.com.au	netscope.org
helios.per.dwr.csiro.au		[2 domains]
highett.mel.dbce.csiro.au	229.150.in-addr.arpa
jupiter.clcs.com.au		209.190.192.in-addr.arpa
kyoko.mpx.com.au		[38 domains], incl ftn.org
lynx.cbr.dit.csiro.au		[3 domains]
magic.tap.csiro.au		197.207.192.in-addr.arpa ctpm.org
mail.telstra.com.au		????
marmion.per.marine.csiro.au	????
mars.clcs.com.au		209.190.192.in-addr.arpa
meteorology.ho.bom.gov.au	178.134.in-addr.arpa
mineng.minerals.csiro.au	????
minotaur.labyrinth.net.au	172.68.192.in-addr.arpa melb.net rtzcra.com
mlb.dpr.csiro.au		180.16.192.in-addr.arpa
mpe67.dmpe.csiro.au		140.82.192.in-addr.arpa
mundoe.maths.mu.oz.au		208.43.192.in-addr.arpa 250.128.in-addr.arpa
myall.awadi.com.au		207.150.in-addr.arpa
netmanager-2.dot.gov.au		????
netra.geko.net.au		[9 domains]
ns.axon.net.au			[10 domains]
ns1.anu.edu.au			[14 domains]
ocean.ml.csiro.au		12.67.192.in-addr.arpa
orion.gcs.com.au		172.68.192.in-addr.arpa
osiris.cs.uow.edu.au		135.70.192.in-addr.arpa
oversteer.library.uwa.edu.au	95.130.in-addr.arpa
penguin.abare.gov.au		188.143.in-addr.arpa
perth.highway1.com.au		netscope.org
phoenix-f.cbr.dit.csiro.au	146.41.192.in-addr.arpa
psych.psy.uq.edu.au		????
pub.dme.nt.gov.au		205.155.in-addr.arpa
puma.qimr.edu.au		98.152.in-addr.arpa
ram.chiswick.anprod.csiro.au	100.138.192.in-addr.arpa
richmond.sri.org.au		59.139.in-addr.arpa
saussure.technix.com.au		technix.com
sequoia.itd.uts.edu.au		????
smamanager-2.sma.gov.au		191.165.in-addr.arpa
smamanager.sma.gov.au		191.165.in-addr.arpa
sol.ccs.deakin.edu.au		????
sol.dmp.csiro.au		216.245.192.in-addr.arpa
solaris.cis.csiro.au		????
sserve.cc.adfa.oz.au		236.131.in-addr.arpa cbr.org
styx.cbr.dwr.csiro.au		44.138.in-addr.arpa
sun1.menzies.su.edu.au		[4 domains]
sunb.ocs.mq.edu.au		111.137.in-addr.arpa
techway.com.au			92.131.192.in-addr.arpa
ten30.qld.ml.csiro.au		212.231.192.in-addr.arpa
usop.per.its.csiro.au		[7 domains]
vallona.csccs.com.au		244.94.192.in-addr.arpa
vega.unilinc.edu.au		216.70.192.in-addr.arpa
wanda.mel.dit.csiro.au		110.144.in-addr.arpa
water.cwr.uwa.edu.au		????
webster.hughes.com.au		????
wraith.internode.com.au		????
xig.exicom.oz.au		240.5.192.in-addr.arpa
zonk.geko.net.au		[8 domains]
Received on Thu Feb 27 1997 - 14:08:58 UTC

This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:02 UTC