From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <97d636b2e3d347c0f29d78d95ef2b493@9srv.net>
Date: Sun, 27 Jul 2008 22:53:38 -0400
From: a@9srv.net
To: 9fans@9fans.net
In-Reply-To: <9a26ecb5639631b7d346a52c0c8e849d@quanstro.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: Re: [9fans] dns exploits (self-promotion remix)
Topicbox-Message-UUID: f2c2b716-ead3-11e9-9d60-3106f5b1d025

// 1.  plan 9 never used a static source port for queries,

Using dynamic ports is better than static, but if they're
sequential (or otherwise predictable), it doesn't buy you
all that much.

// 2.  who does recursive queries on external interfaces?

I've been traveling in companies and countries with
restricted local DNSs, but open routes to home. Or open
enough to get DNS through; sometimes not VPN, ssh, or
functional equivalent (to say nothing of 9p). Being able
to query an unrestricted DNS was wonderful.

I've also worked for companies who had folks working from
home pointing their home computers at work DNS (and some
other services) over the public internet. I'd probably
grant that it's a security problem, but it wasn't an
"error" in the normal sense.

Anthony