michaelanthoni.com

So its been a few weeks since most of us have patched our vulnerable dns servers, but I hadn’t noticed this little bonus until today which actually made me laugh. You see a few years ago I had noticed an annoying little behavior with the way Microsoft’s DNS Server handles outgoing client connection for domains/servers that are listed under the Forwarders tab. We use this Forwarders tab to list frequently queried domains in which we host a copy of the zone file in rbldnsd so as to not go to the internet to find the answer to. This gives us the benefit of returning an answer to a dns query much faster and saves us the extra bandwidth. This is highly beneficial to our mail systems which process on average 100 million messages per month, mostly spam of course. So back when we had implemented the rbldnsd system, we had placed Linux Virtual Server in front of the rbldnsd to load balance the traffic accross 8 or so machines. After pointing the Forwarded domains to the LVS VIP, I had expected hundreds, even thousands of connections to get sprayed accross the rbldnsd farm, but uh-uh, nope. There were only two connections listed to two of the backend servers, however all the queries were getting answered.

me@director:~$sudo ipvsadm -L
IP Virtual Server version 1.2.1 (size=32768)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
UDP w.x.y.z:domain wrr
-> server1.domain.com:domain Route 2 0 1
-> server2.domain.com:domain Route 2 0 0
-> server3.domain.com:domain Route 2 0 0
-> server4.domain.com:domain Route 2 0 1
-> server5.domain.com:domain Route 2 0 0
-> server6.domain.com:domain Route 2 0 0
-> server7.domain.com:domain Route 2 0 0
-> server8.domain.com:domain Route 2 0 0

This had me scratching my head at first and then after a few packet captures later, I realized that Microsoft was opening 1 socket connection and pushing all the forwarded queries through it. Gee Wiz Microsoft! Why would you do such a thing? I figured that opening and closing socket connections carries an overhead and could also potentially exhaust all available udp ports in a very short amount of time, I can understand why Microsoft would implement it in this way. However this is exactly the insufficient socket entropy that is described in Dan’s advisory as flawed, and from my perspective I hated it as I couldn’t load balance all the forwarded dns queries across each machine that had rbldnsd running on them. Luckily rbldnsd wasn’t the primary service on those machines that we were load balancing so I had decided to just let it be after a spending a few minutes of looking for a workaround then banging my head on my desk out of frustration. Availability was still guaranteed and rbldnsd being as fast and memory efficient as it was, was performing fine in this configuration, so I let it be. I had bigger fish to fry at the time. Fast forward a few years later and a Dan Kaminsky patched Microsoft DNS Server, and wallah, this is what I noticed today…

me@director:~$sudo ipvsadm -L
IP Virtual Server version 1.2.1 (size=32768)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
UDP w.x.y.z:domain wrr
-> server1.domain.com:domain Route 2 0 264
-> server2.domain.com:domain Route 2 0 258
-> server3.domain.com:domain Route 2 0 256
-> server4.domain.com:domain Route 2 0 252
-> server5.domain.com:domain Route 2 0 250
-> server6.domain.com:domain Route 2 0 252
-> server7.domain.com:domain Route 2 0 252
-> server8.domain.com:domain Route 2 0 252

and this is with a modified udp timeout of 10 seconds…

me@director:~$ sudo ipvsadm -L --timeout
Timeout (tcp tcpfin udp): 60 10 10

Awesome, entropy, security, and load balancing :). Thanks Dan!

After installing Apache 2.0.63 w/ OpenSSL 0.9.7 on a Windows Server (see previous posts), I ran into this little issue while trying to create a certificate request with the following command…

#openssl req -new -key mydomain.key -out mydomain.csr

Luckily I found bug #1187 quickly on the openssl request tracker site at

http://rt.openssl.org/Ticket/Display.html?id=1187&user=guest&pass=guest

If your looking for the quick fix use the -config switch and point it to the openssl.conf under
tha apache install dir.

#openssl req -config "D:\Apache Group\Apache2\conf\openssl.cnf" -new -key mydomain.key -x509 -days 365 -out mydomain.csr

thanks to msathesh@gmail.com

Now, Im one of those admins who despises running certain open source software packages on Windows. It just bugs me. Just because a certain application runs on Windows, or is reported to run on Windows (if you follow the 101 step procedure to the t and don’t stumble on any gotchas because your trying to accomplish something slightly different then what is documented), doesn’t mean that it should be run on Windows, especially for production applications. Take the LAMP stack for example Apache HTTP Server, PHP/PERL, MySQL. All these run on the Windows platform and thats great and all. It makes it very convenient to set up a development environment on windows machines. But in my very humble opinion, these projects were made to be ran in a *nix environment. Just look at the configuration files and you can easily see the developers have intended these to be run under a *nix platform. Installation is usually a breeze with these apps under *nix. Now I must admit that the Apache Group, MySQl, and ActiveState have done a very great job with there windows installation packages, but have you ever installed PHP on IIS? Tell me that wasn’t a headache the first time you tried that? Didn’t it seem kind of hackish? And the performance, how was it for you? Now, I haven’t tried the PHP “friendly” IIS 7 but I’m hoping this has improved some. Now, the lamp stack is just my example, but theres a multitude of open source software out there that just should not be run under windows. Installation and configuration usually involve some sort of two-bit hack and integration and/or troubleshooting is typically dreadful and time-consuming. And it goes both ways. I would never try to install IIS or MSSQL on a *nix platform but good luck to you if you dare! Let me know how that goes for you. And did someone say emulators? Yah, I “hear” wine has made some great strides in the past few years, especially thanks to the folks at google, but if your gonna run linux as your desktop, cant you make the full commitment and just run OpenOffice or Gimp? And please don’t even mention the word “cygwin” to me!

But “business requirements” are “business requirements” after all, aren’t they.

With that said… (see previous post)

I use Windows XP Pro as my desktop operating system of choice and haven’t seen the reason to make the move to Vista yet, although I will be investigating more in the near future with Windows Server 2008 looming around the corner. I find myself to be more efficient and comfortable, in a windows desktop environment than I do in either GNOME or KDE, although I feel right at home in a GNOME enviornment. Although Mac was probably the first OS I ever used, I grew up using W indows and it feels like home to me. However, I do tend to run unix-like virtual machines on top of my desktop to allow me some flexibility. Also, I run a dual booting, Windows XP/linux configuration on my laptops. Never know when your gonna need what. I like to keep my options open.

I have run a MacOSX laptop in the past but at the present I have not had the luxury.

On the server side of things, I run both Windows and Unix-Like, depending on the situation, client, customer, requirements, etc. On the Windows side I run Windows Server 2003, of course, in its different flavors. On the Unix-Like side my Linux OS of choice for production is Debian, however I am a linux hobbyist and have ran most major Linux flavors including Ubuntu, Slackware, Gentoo, Suse, and Redhat based operating systems at one point or another. My BSD of choice for servers is FreeBSD, but I use OpenBSD for the network infrastructure such as routers and firewalls.

Again, I have closed commenting on this page as to not insite a flame war. This is what I run.

I figured I’d start my first blog postings with some of my ideologies. One of the most fundamental ideological rifts is in the operating system of choice among IT veterans. Mainly Microsoft vs Unix-like. I say Unix-Like because of the many “Unix-Like” platforms we have to choose from nowadays, from Linux to the BSD’s to the Mac OSX, each with there own unique characteristics, pros, and cons, but all essentially “unix” minus the trademark.

I use both Microsoft and Unix-like operating systems as do a lot of us, so its hard for me to choose one over the other, maybe impossible. Its almost as if one of my children asked me who my favorite child was. I would lie and say I have no favorite, even if I did. Although one may give me less headache and grief, I can’t function without either. They both have a place in my world.

As I would not like to be host to a flame war, I have closed commenting on this post. This is my ideology, not yours.