2.5 Admins 221: Two Firewalls
35:58 Share

To a half advance epsom, two, two, one. I'm sure i'm jim. Then i'm elen and you are again, jim. You've recently discovered the joyce of modern charging technology.

That is correct. I had not realized just how antiquated all of my charging stuff was. I thought I had been doing a good job of getting Better charging equipment than was provided out of the box and really providing for my family and myself because I had gotten a bunch of these older USB, a know four and five port charging systems with maybe thirty watts of power total for the whole thing.

And I felt good about that because I hadn't really been paying attention to what was going on in the world of USB power delivery and how much juice my devices could pull down if IT was offered to them. But after having some really bad experiences with unexpected, very long layovers and airport terminals and what have you, I decided to modernize. And the first thing I did as I bought a much more capable power bank, because I wanted to have a greater amount of power available for my devices.

And I also bought much more powerful charges, and I wasn't entirely sure what to expect when I did IT. But what I discovered was that, you know, rather than needing as much as five or six hours to charge my tablet with, you know, a newer charger that can do a one hundred what USB powered delivery, I can spend fifty dollars on a charger, and I can recharge my entire tablet from dead flat in like twenty minutes, which is fantastic. Tic IT doesn't matter so much if you at home, but man is fantastic when you're traveling.

And like, you know, maybe you have just got fifteen or twenty minutes sitting in the good seat at like the restaurant airport or like sitting on the floor with your back to the pillar where the the ac outlet is for just long enough to charge your stuff and then move on. And if you've got a modern, high quality power bank, you can recharge the entire power bank, and about twenty minutes you can rein, charge an entire large device, like a know high powered large screen tablet or a flagship phone again, in fifteen or twenty minutes, you can also get much Better metrics. The other thing I didn't realize that could have is my charges and power banks. Now I have their own displays on them, and they will not only tell me like what ports are active theyll tell me in the, in the case of my most powerful charger IT actually tell me the current and voltage on each individual port as it's charging, which is awesome because I am not just saying, okay, I have a little icon that says it's charging you on my android device here. No random IoT gedge's whatever I am actually look at the charger and see exactly how much power is gone into that thing in that in turn will let me know whether I maybe technically goddy connection, but it's a bad cable and I get almost no charge IT just IT makes my heart saying and I wish i'd known to do this a long time ago.

Yeah, I know I had kind of similar experience. I bought these nice four port charges in japan back when all my devices were like micro USB. And so I had a little full of thing, lugged in the wall, fit nicely into my plug adapters when I was another countries, and give me four U.

S. B. airports. But the total output you could do was like the two point one amp. Or whatever that was coming back then. No, pru, S, B C. And so, you know, I mostly had IT in my travel bag and IT mostly plugged into the outlet news, the head of the bed in the hotel, and charged my phone overnight and so on.

But I didn't notice that, you know, if I was trying to pack my phone in, in the middle day because I maybe i'm back in my room for twenty thirty minutes between the end of the day and the started of dinner and so on, I run my phone down. I would like to give you a boost charge and my phone be like OK. I'll try to fast charge and I would try for second and then be like, nope and reset try again and no and okay, all slow charge.

And it's like, well, I guess i'm missing out. I'm fast charging and is like I can hear IT is pulling about as much as this device can do. And it's kind of making a thing like coal line.

I know, and like him, this device is that vote, the regular edge of what I can do and knowing that I could get that precious years back in my phone quickly when I needed. In those cases, I really want to something more, and that's really jims point. Why something with a screen that tells you how many what is pulling can help you make sure that it's fast charging and if it's not unlike and playing you back in.

And now now it's fast charging and know that, okay, i'm going to go have a shower and stuff before I get ready to for dinner. When I come back, my phones is going to be a eighty percent and not past five percent from where I left IT. One of a slow charging.

everything discovered, is with a modern power bank. IT changed the way I use power bank a lot. I had a SONY power bank that I bought on a trip to sentences go back in twenty sixteen when I went to the open sy of us developers summit.

And IT worked. No, I mean, I could keep a dead flat phone or tablet or whatever running while I was plugged in to the power bank. But essentially I couldn't really gain on the charge that was in a dead flat phone or tablet while I was plug in the power bank.

The power bank would just keep IT alive for as as long as IT was plugged in. You could basically wait overnight and not even really get a good solid charge of the power bank. IT was just keeping your devices on life.

Support the new power bank with USB c power delivery. And you can do, you know, one hundred watts on an individual line. No, it's different, man. You can litter, just pop your power bank at your bag, plug your device into a while. You use IT for a few minutes, top up the battery. All the we have to fall on your voice unpleased from power bank and put the back in your bag again, which is a huge, huge improvement.

IT also means, honestly, I use the power bank much less than I used to, because I used to be a thing of, like you use the battery in your device until it's almost flat and then you're just on life support with a power bank forever until you can get somewhere and properly recharged. And now i'm much more likely to just use the device until I get close to somewhere where i've got power in ten or fifteen minutes, charging them all the way back up again. And rather than just being on permanent life support like i'm fixed, i'm back to I started.

It's a huge quality. I think now part of what you're onna need to do, if you want to replicate this kind of success as you need to get away from using U S B A on the charger, I am probably all and I think most of us for a long time had been using U S B A to U S B C cables. When we charge our U, S, B, C devices, stop doing that, man.

Get a power bank has got mostly USB c ports. It's fine if it's got a couple of USB on there. You know if you're legacy stuff or if it's all U S, B, C, that's actually fine too because you can just get a dongle for your USB a devices if you have any left me to charge that way.

The other thing that I bought is a part of this like wide upgrade because I was going from USB a devices on the charging side to U S, B C all the way around. I bought a whole bunch of U. S, B, C to U, S, B C cables.

And the quality varies widely on those. I found a pretty neat feature. The ones that I picked, they run about to eight, nine buxa cable.

You a little bit less, you buy like you know a big pack of in bulk and for your eight, nine books per six foot cable, in addition to the cable itself, is capable of charging in one hundred watts that actually has an L D on one side of the cable itself. That half of that lights up if you're charging and the whole thing lights up if you're fast charging. So it's just yet another really easy indicator like is everything not only working but like working all the way? And I highly recommended .

that's a great feature that I wanted for my laptop and I bought specifically those ones I can mention. But for both that in the the make safe connectors you recommended, I need ones that don't let up for the bedroom.

So what you do, Allen, is you buy a pack of web cam blackout stickers. Those were great for covering else. They're very inexpensive.

They're disposable. They stick on for ability ever. And you know, whenever they finally do come off, well, screw IT, you're bought a pack like thirty of them for dollar. So to point stick another one on.

Allen mentioned laptops and that's what got mean to this whole world of actual modern charges. Because I ve just been using a bunch of just charges that i've got with phones, and i've got an anchor one that is like a five point USB a that's about thirty. What's total? And i've just been getting by with that.

But then when I learned that you could get hundred, what power delivery from a power bank, I could actually charge a laptop of this thing now that everything's U. S. B, C.

And then I discovered, right, well, I can get a hundred. What charge to charge that power bank and IT really is just a completely new world of speed of charging. Like i'm sure there are people listen to this going yet. Like we've been dinner for five plus years. Like why are you only just discovered?

And in response that I say, if you have been doing this for five plus, why didn't you tell us, man, I agree with you that the laptop thing is that's another really, really nice value. If you get a laptop that does USB c charging, you don't have to Carry a laptop charge anymore. Like you're one charger charges everything, your phones, your ear buds, your tablet, your laptop, you know you're what of the hill all runs off this one charger.

And it's got enough power to keep more happy. So cannot recommend highly enough. Now the other thing i'll magen here when when you start shopping in power banks, if you're looking for the biggest capacity, i'll find and say you're just browsing around on amazon or what have you, you'll very quickly discover that almost none of them offer more than one hundred. Hours or alternately, sometimes you'll see that expressed as twenty thousand million emp hours, which converts out of the exact same thing. Now the reason almost none of them are larger than that is because F, A, A. Regulations say that's the largest individual lithia iron battery you can bring on board and aircraft so when you finally do manage to fine that the one power bank that offers you like one hundred and fifty eight hours or you know thirty thousand million powers on amazon or whatever side you're browsing, if you're gonna y flying, don't buy IT because if tsa figures out that that you know an oversize device, they won't let you on board. The playing with .

IT OK this episode is sponsored by one password. Imagine your company security. Like the quality of a college campus. There are nice brick pass between the buildings. Those are company on devices, I T proved depth and manage employee identities.

And then there are the parts of people actually use the shortcuts worn through the grass that at the actual stratus line from point a to b, those are unmanaged devices, follow our t apps and non employee identities like contractors. Most security tools only work on those happy birth paths, but a lot of security problems take place on the short cuts. One password extended access management is the first security solution that brings all these unmanaged devices, apps and identities under your control.

IT ensures that every user credential is strong and protected, every device is known and healthy, and every APP is visible. One password extended access management solves the problems. Traditional I, M and M, D, M can touch its security for the way we work today and is now generally available to companies with OTA and microsoft intra and in beter for google workspace customers.

So we support the show and check IT out at one password dot com slashed two five eight. That's one password dot com slashed to five a. Let's do some feedback then just in rights, you mentioned that there is no firewall that manages I P V four, N, V six traffic together, and you need two different sets of conflicts.

This is not correct. N, F, tables can do that. If you define the table as I net, you can define rules with three, four and v six in IT together.

If you take his own bed approach, IT is really easy, and there really isn't much duplication. If you define a chain with the policy of drop, IT is pretty safe by default, in my opinion. But please don't be an idiot and drop I C M P six.

Many services don't work correctly if they cannot use certain I C M P six codes. If you are afraid, block I C M P V six echo requests code one to eight or read up on needed I C M P codes. Ports aren't really a thing on these six.

I would take objection to a couple of statements there like the one .

that says there are no ports can on these six. I'm definitely taking exception to that one.

Yeah but like you're point about I C M P V six, there is exactly James point when he was said that, you know, the fire will doesn't do both the fact that you can make one rule that controls all of these messages because I see M P V four and I see M P six aren't really the same protocol and they have completely different code numbers. And so you can have one rule that just does what you want.

You have to have a separate of rules for the basics versions. While some things you say, oh, access to point eighty four, four, three, you can make one rule that will match before M V six maybe, but as you try to do anything beyond very, very basics of in the firewall, you end up needing two rules for every intent you're trying to express because they're very different protocols, right? It's I P V six, isn't just I P V four with longer I P addresses.

IT is a very little protocol with all these head ery extensions and so on that mean that the same rule can't work for both and is just not that simple. And then the ports thing, I think they probably mean a little bit more the other way of like nobody tries to skin every single I P V six address, but that's not to reader IT takes a lot longer. But definitely people are there are just scanning every v six address and port ins know if you're targeting one I P V six address yeah you can scan all the ports in the same matter time you take you scan all the ports on v there maybe a little bit less of you know people.

They're trying to scan every address to look for certain services, but that's more about them just targeting the the lower hanging fruit. But you know if you use show down or some of the servers, you can definitely find all the I six addresses. I have four twenty one open in and what the banner is when you connect to IT.

It's probably also worth pointing out that a well, I might be in some ways more of a pain the blood deports can on I P V six network like the subject larger. So there's a larger space to you're not typically to find like one host is actually port fording a whole bunch of services to you know an entire farm of machines inside the subject. That's not usually how things work with these six.

Usually, each machine is just going to be directly publicly accessible. That also means that like a lot of the time you get some real bingo, if you're scanning I P V six space because where as in the four, you're almost always like every machine in the twenty first century is almost certainly going to be behind a router with a firewall that drops everything by a ffa lt. And I P V six by default, everything is accessible, not just like the stuff that you specifically made sure to put forward through and like a router that manages your entire submit. But every single machine in your network is directly publicly addressed, which means that you are who ever administer your network on every single machine need to do, have set up a sane firewall, blocking access to everything that nobody outside the local network should have access to.

You can do that on the riveter is just you have to actively decide to do a statement firewall wherewith your Normal net on I P V four. You kind of were forced to have a statement firework by the fact that when you get an incoming connection to the public, I P IT couldn't guess which machine is sent to on the vaccine. So IT had to be, stay, fall and just block IT and only allow responses to things that were initiated from inside.

Or will you had a specific part forward with physics? You can apply those same rules, but you have to choose to do IT. It's not the default.

Now we just got done pretty recently talking about how a you you can't trust humans to do Better than default when IT comes to security. And the default on I P V four in the twenty first century is everything is behind a router with network address translation and default deny across the board. And you have to do something special to make IT less secure as I P V six by default, every machine is wide open, fully addressed to the internet, just like in the nineties. And you remember working on networks in the nineties where every single workstation had a public I P address.

I remember those I tiger team, a few of those and like it's a playground for male and black hats s and whatever like every fricking machine has like you know an FTP server that IT shouldn't and wears and porn, what have on IT you barely running and how do you fix IT you go in there. And the first thing you do is you take all those public ips away and you put the whole network mind the right with the default policy. Any pok calls for only the things that you should.

Yes, and that's what you should do for six. Also, gender net send spam.

yes, I do. That was never really a problem for me personally. B, I definitely remember IT.

Yes, I that whole concept because yeah, everybody dialup would basically have a publicly reach of the IP on their machine. And you would just walk to submit and use net send to make a message pop up on every machine.

I think part of the reason that when was never a big problem for me, as I was already very familiar with, like the ways to abuse that kind of a tool, because before I became an official team manager from my first, a real big boy job, when I was in the navy, I worked in commands and on ships that had old school, like many computers and dumb terminals.

And the eight and t three b two, we had a function called broadcast, and you could use broadcast to IT worked just like meson. Basically, you could just pop up a message on somebody screen. Although with ANT3 b two system and broadcasts， you also have the option of literally broadcasting and popping up a message on every single dumb permal in the organza, which could mean thousands of them.

And you know what? This being the early nineties, the I. T. Departments did not lock that down. And me being who I was, the first thing I did sitting front, just looking at output on the command line and looking for all the command. And I found the broader and testing also like, holy crap, it's not lock down.

And so I would use IT to just absolutely frustrate the crap had of people like, i'd mess with butter. I'd be like, hey glary, if fat baster get back to work and he would think that the IT department was doing IT. No, I was doing IT to him from city, like two desks down mad rec.

I remember one day I did that and he was ready to go there and just absolutely pound the crap out of the ID wines. And I had to calm him down before he went up. The'd got to this fight. I was at least bright enough to never use the the full on broadcast function because is like I can mess with my buddies and get away with IT. But i'm not going to be the one who bring IT to the commands attention that the broadcast, all functionality wasn't locked down and let somebody else do that.

ben says. I was writing to ask if IT seems like a feasible idea to use as ef dataset as a get for data. Obviously, some extra childing would need to be written, but generally IT strikes me that said, if has already supports the concepts of commits snapshots, folks mount a snapshot and start working off IT and push pull.

Is that if send for that F, S, data, ts, and could potentially save quite a bit of space compared to other version control systems for data i've come across typically blobs written to a cloud service somewhere. German's speaking. Does this seem like a reasonable concept?

I don't think I agree with calling commits. Basically the same thing is snapshots. but. Aside from that, yeah, it's quite reasonable. IT actually would not be that hard to patch get itself to directly use the F S.

To save space and at a reliability and use all of those same features that you're talking about as far as just building something get like for data. Yeah whether not you even needing the extra tooling kind of is up to what your users are capable of and expect the F S. Is basically already there.

Yeah, there are some places where might not actually be good as kit partly that you know, when you have a delta, you thinking, yes, that F S is gonna send the delta, that's great. But the delta gradually and F S is going to be the record size.

So even if you trink down to something like four k, which will have some, unless the side effects that still a whole fork you have to modify where get with his delta compression, you would only be like if you change a line, it's only going up to send the old line in the new line kind of thing. But yes, especially for things where you're storing big boner blogs like a few, a company makes video games. And do you have a lot of textures and images and huge files that you don't want to get? You use something like that? I think it's got elf or whatever as I want to get to to manage those huge files.

Then yes, that of us could be really interesting. Like jm, I would use different bits of Z, F, S for your analysts like a committee, a bit more like a transaction. Although I see your point about you want a snapshot between you to commit so that you have that is a stable point and a fork, I would consider more a set of s clone, which is because like, fork is a version of this make that you can change.

And you've now got two different trees. But in general, yes, there could be quite interesting and that would mean likely for big image files, IT would be Better, faster and possibly uh, use less being with for thinking to the the remote. But is that if has also is not gonna fund if you're trying to have multiple writers, but just like that, if you just make people merge before they do IT, but that's really hard to do with bary files.

I supposed to source code, right? You can just rebate your patch like you do to get with someone else is already pushed something newer to the branch, then your local copy, if its graphic files and post you in, someone else have changed the files and then the other person checked is in. When you go emerge yours, you are going to have fun.

But you would have that with a Better file, even with a regular source of control. So IT could be done. I know I did look at doing something like that back when previous d still use, uh, the version for version control. I've actually checking out a revision, making a snapshot and then walking revisions forward.

So I would have snapshot that like all the different revision numbers, and I could quickly switch to a specific revision instead of having to, you know, have the get or S B N walked through the tree and like modify every file to be how IT looked at that revision, having access to all those quickly or being able easily send the difference between the whole bunch. But I never did IT because I didn't actually have much of use case for other than, hey, that cool I can build that was that of us. Rusha sounds like a kind of what the same idea as occurred to you.

Okay, this episode is sponsored by automobile. Are you prepared for whatever shit storm may hit your desk during the workday? Automobile has your back.

Check out the brand new autonomists I T podcast, listening as various IT experts discuss the latest patch tuesday releases, mitigation tips and customer tomato to help with C V remediation make new work friends listen now to the autonomous I T pocket on spotify, apple or wherever you N T podcasts. Let just some free consulting then for first. Just quick.

Thank you to everyone who supports us with paper, al and patron. We're really to appreciate that if you want to join those people who can go to two to five abban stock comment flash support and remember that the various amounts on patron, you can get an advert free R S S weed of either justice show or all the showers in the like nightline's family. And if you want to send any any questions for german or your feedback email, show a two five appen stocks subs.

I have my own domain and host the D N S records with a popular car provider with D N S sec enabled, I would like to migrate to my own authority. Tive server I ve only used buying a few times. I was thinking about what are some key points and gotch's for public presentation? For example, glue records, secondary aries, a expert on rate limit ting D N S amplification attacks, D N S ic management eta.

So the biggest thing with hosting your own author servers is that you do need more than one, but you can also either use probably that same club provider, or I would recommend the service like D N S, made easy to run the secondary aries for you, if which you one hosting your own authority, da server. I think the first thing to decide is if your primary authority of server will be public or hidden.

So one of the ways you architect D N S is you can actually have the authority of server that defines, you know what these records are actually not exposed to, everyone are not listed in the who is are the glue records and so on, but instead have all secondary aries there, and they pulled from the southern, and I can help protect from the service attacks in other things, especially if you're going to have that authoritative observer on smaller infrastructure, not necessarily bigger, what you'd run for public stuff. So blue records are used to exclave what that is for people that don't know Normally the way you define which servers contain the D N S information for the drain is that your registered, you enter those D N S records, and those basically go in the who is and get put into the the root T L D record. So the big database of what is not come knows your dane.

And then this list of name servers of where we look that up. But you can have this recursion problem if if the name server for mercenary, insist in that come is, you know, N S one mercenary system in that com. You have this chicken big problem where you can look up the I P address of the DNA server until you ask the DNA server whose ipad as you're trying to look up.

And so a glue record is basically a hint. You can have the registered containing in the database that says, and the I P address for one debt merry system in that com. Is this I P address to let you kind of boots trap and get that first query going. So if the alternative name service for your domain are inside your domain, then you have to have a glue record to kind of bootstrap.

The process I would say ultimately, like you must have glue records for any name server is going to be listed in. You know, any domain registry registry where is put in is generally going to be in in the domain that that particular name server is a host under. So like an an Allen example, if mercenary assessment 点 com we're hosted with D N S servers， N S one and N S two, that mercenary assessment dot com then inside that zone is where the glue record would be for those two name servers.

Well, be inside the register record, not the zone inside .

the register ra's record. Not like this zone that runs on your own local bind. But even if your name service somewhere else, for example, all the actual name service, someones said that come, you're going to be in this one and in a two dot jerious dash dnet so you don't have a glue record present like and tell you for free, you using name sheep as my registrar, if you log into my account, namely eep, you're not going to see the glue for N S.

One and in two jura, just that net in the intro for mercenary assessment 点 com。 But if you hop over to the entry for jaras dh has thought net, you'll see the glue there. Because ultimately, just basically whenever ver, you use a name server as the authority of names over four domain, then the register rar has to have a glue record for IT plan example. yeah.

And that's because of the the workers of data of D N S N S, how you basically prevent the dependency lips. The next thing that i've asked about was secondaries in A X force. So this is only one D N.

S. server. Is I going to have the author of zone file, right? The the buying configuration or the nsd file defines, you know, triple abuse over here, male servers over here.

These are the records. And then all the secondary aries are going to connect to that primary and do A D N S. Command called in a expert where we say, you know, give me all the records for this domain.

Normally your private named servers should restrict who can do that. So you have basically in allowed list of I P addresses that are allowed to issue this. Give me all the records in your database query and the cycles will do this on a regular basis of the timing is controlled by the soa or state of authority record.

And IT tells the secondaries how often to come and check and if they can't check for so many days in a row, they will delete the records and stop giving up that information so that things will break in. Somebody will fix IT. But yeah, you do want to make sure that that's limited to just the secondary aries. So whether those secondary are other other servers you decide to run yourself, you know, if you're going to use, uh, cheap V P S provider to run a couple of different name service or if you contract that out to A D N S hosting company like D N S made easy dcom somebody, and then they will host the secondary. And then the IP s of those secondary will have to be on the allow list of your binder nsd config, so that only those people can download every DNF record in your zone.

This is important for a few reasons. One is that you know for larger zones, especially asking for every single record can be a significant amount in with which are used to that named of are having a Normally supply because they could potentially be thousands of records you get when you ask for one's zone transfer. The other thing is there's a little bit of security through of security.

And there the idea is that, for example, let's say you own joe rea com and you will happen to have a private server, lucky j pigs, joe rea com. But you don't want just anybody who knows the rest outcome exists to people, ask for every single host name and sub domain associated and find your lucky JPEG server limit ting, who is allowed to do a zone transfer. That's what gives you that small security through security IT IT makes IT a lot harder for somebody to just immediately map out your entire network looking for things to attack.

So next thing I thought was right, limiting if it's the authority name server effect, effectively, they can really do much relevant because you're the of names over you have to answer the questions about IT. And in general, those questions will not be coming from individual and users. They should be coming from those and users. D, N, S, service, whether that their pipal over there, I S, P, name server or one of the big public name servers like google or crib flare ta and so in general is not machine do for rate living there. I would .

disagree about not being able to implement listing. I mean, you should have a pretty good a of what level of traffic your domain is going to hit. And if this is like a personal blog, you can absolutely rate limit the number of request that your server is is allowed the to service. Now google might not be able to do that because they need to be able to service every request in the world coming in all the time.

But if if your blog has an audience in the thousands and your zone file has a time to live of a day, well, you're probably not really gonna surveyed that many DNA request directly because the way this works is not every time somebody wants to go to your blog dot com, they ask your name server how to get there. Every time somebody at I S P A wants to get to your blog back com, they asked her I S P S D N S server, which asks your dn s server, and then cashes is the result before handing IT to that person and the next person at the same msp that wants to go to your blog dot com, they don't ask your dn s server because their own D N S server still has the answer on how to get there. So in my opinion, yes, you absolutely can implement right limiting.

You just need to have a fairly good idea of what the expected volume is. One of the Better ways to do that is go ahead and implemented without the right limiting. Watch IT for a couple of weeks, figure out what your levels are and planned around that.

Build yourself in a fudged factor. Maybe think about if you're planning to do something that might suddenly dramatically increase that traffic because like and now some big public evenor, whatever that generates, like a huge Spike of interest from people who aren't Normally visiting your site. Maybe you think about relaxing IT, but implementing those reasonable rate limits that helps keep your server from being used for DNA simplification attack.

Although in general, problem with great liming is you can, if not implemented correctly, could result in basic, a second order deny of service attack, where the bad guy can exhaust the rate limit meeting. Now legitimate people can look up your domain anymore. D N S A fiction attacks are less of an issue with authoritative name servers than they are with recursive name servers.

So things like the pie hole or google's public dn s that are designed to answer any question that comes in are much more acceptable to DNA sitivation attacks, because they are going to be getting questions and really in questions from other places. Where is an authoritative server only ever has to answer questions about the doing IT controls. And so those records, gently, aren't ever going to be so big. Where is the recursive server? And especially if you run a piece that accidentally is IT restricted to only answered questions from your land, somebody could purpose sly, ask you to look up something from a domain they control is really big, and just act the answer to the wrong person with proof back him.

Although, again, i'm going to push back here, you can absolutely, whose authority of servers for this? And one of the easier ways to do so, I mean, if you know where the server is, you probably know what domains is automatic for. And one of the the easier things to do is little just dig for a text record, that domain odds are pretty good. You're going to get some fairly beefy ones there that may not be as huge as you know some of the special like, oh my god, look at this ridiculous text record I found on this one domain out there on the internet somewhere. However, you can very easily come up with the tech record that's intended, you know like for authenticating to allow office three, six, five or google to manage email for the domain or what have you.

or even just the S P F record for the email.

exactly that. Every query the answer will still be val times that you would Normally expect for irregular D N S query response. And so IT may not be the most perfect possible record is for amplification attack but at work hell yeah well, and these days, the way most people are using these DNA simplification attacks is they're not just like finding one server in doing the one thing there.

They build a giant pool of attack able servers and they hit all of them at once. So your series, either part of that list or IT isn't. And I don't think that makes sense to think that because your server isn't the perfect one, the useful attack that nobody y's going to use IT.

That's the game where the rate limited can come in. If you can make sure that the requests that appeared to be coming from a certain N I P address are rate limited IT means that your responses to I P address, even if the income ones are spooked ed, can be limited as well.

Keep in mind, you can also do rate limiting per I P address, which you know that's not nessa. Do a whole lot of if you've got a massively distributed denial service tack where you're not just talking about distributed in terms of how many named servers are being used for the application, but also distributed in terms of the source of the initial packets that go to the deserves to be amplified to hit the actual targets.

Now if you're right, limiting per IP IT may not do everything to protect you from you. One of these clouds of these botnet using you as part of the attack, however, IT will knock out a lot of them, and you can implement that even directly at the firewall level. IT doesn't necessarily need to be something you can figure within bind itself. And the odds that somebody needs to make fifty queries a second from a single IP address to your author name server, pretty freaking low, right?

Well, we'll to get out of here then. Remember, show at two, five administer, come if you only send any questions or feedback, you can find me a just rest come sash method .

on you can find me a mercenary is man that com.

And i'm at alan jude.

we say next week.