LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘openDNS’ Category

The Techie Geek – Episode 97 – Show Notes

without comments




Email Russ at russ AT thetechiegeek DOT com
Email Tracy at tracy AT thetechiegeek DOT com
Leave us a voice mail at 1-206-339-1575 helps your un-needed Linux box find a needy home

NorthEast GNU/Linux Fest
Ohio Linux Fest
ipconfig /all
Google DNS servers and
OpenDNS DNS servers and
DD-WRT Linux based firmware for routers
OpenDNS Anti-Censorship Policy
OpenDNS DNSCrypt for Linux
D7 is a tool for PC technicians to aid in many tasks
Intel distributes LibreOffice
Boxee gets MVP on Superbowl Sunday
Unix/Linux Command Reference
Sending Texts from Email:
AT&T –
Verizon –
T-Mobile –
Sprint PCS –
Virgin Mobile –
US Cellular –
Nextel –
Boost –
Alltel –
Google Talk
“Failed to retrieve share list from server” error when browsing a share with Nautilus
Cinnamon Linux Desktop
Pear Linux free 50GB for life
You need a budget
WordGrinder: Good, Old-Fashioned Text Editing Power
AbiWord is a free word processing program
VA could give MS Office the boot
Ubuntu: An Absolute Beginners Guide
Meet Ubuntu for Android: The Next Step in Ubuntu’s Multi-Device Plan
How to install Microsoft Office 2010 on Linux with Wine
SELF Videos
2010 OLF Talks, still waiting for 2011 talks
VLC is a free and open source cross-platform multimedia player
Canonical remixes Ubuntu for business
Hidden Bookshelf Light Switch
We can do no Moore: a transistor from a single atom
Make an iPad or Kindle case from an old book and sugru
Blazonary Tutorials and Stuff
Cavalry 2 Bay eSATA + USB 2.0 RAID External Enclosure

Check out these great podcast sites: and

Written by Russ Wenner

February 29th, 2012 at 5:26 am

Smarter Google DNS | TechSNAP 21

without comments

post thumbnail

Google and openDNS join forces to improve the speed of your downloads, find out what they are doing and how it works!

Plus gmail suffered another man in the middle attack, and gets some egg on their face!

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Another SSL Certificate Authority Compromised, MitM Attack on Gmail

  • Sometime before July 10th, the Dutch Certificate Authority DigiNotar was compromised and the attackers we able to issue a number (apparently as many as 200) of fraudulent certificates, including a wildcard certificate for * The attack was only detected by DigiNotar on July 19th. DigiNotar revoked the certificates, and an external security audit determined that all invalid certificates had been revoked. However, it seemed that probably the most important certificate, * was in fact not revoked. This raises serious questions and seems to point to a coverup by DigiNotar. Detailed Article Additional Article
  • Newer versions of Chrome were not effected, because Google specifically listed a small subset of CAs who would ever be allowed to issue a certificate for gmail. This also prevents self-signed certificates, which some users fall for regardless of the giant scary browser warning. Chrome Security Notes for June
  • Mozilla and the other browsers have taken more direct action disabled than they did with the Comodo compromise. All major browsers have entirely removed the the DigiNotar root certificate from their trust list. With the Comodo compromise, the effected certificates were blacklisted, but the rest of the Comodo CA was left untouched. One wonders if this was done as strong signal to all CAs that that must take security more seriously, or if DigiNotar was in fact cooperating with the Iranian government in its efforts to launch MitM attacks on its citizens. Mozilla Security Blog
  • Part of the issue is that some of the certificates issued were for the browser manufacturers them selves, such as With a fake certificate from Mozilla, it is possible that the MitM attack could block updates to your browser, or worse, feed you a spyware laden version of the browser.
  • Press Release from Parent Company VASCO
  • Pastebin of the fraudulent Certificate
  • Allan’s blog post about the previous CA compromise, and more detail than can fit even in an episode of TechSNAP

    GoogleDNS and OpenDNS launch ‘A Faster Internet’

  • The site promoted a DNS protocol extension called edns-client-subnet that would have the recursive DNS server pass along the IP Subnet (not the full IP, for privacy) of the requesting client, to allow the authoritative DNS server to make a better Geo Targetting Decision.
  • A number of large content distributors and CDNs rely on GeoIP technology at DNS time to direct users to the nearest (and as such, usually fastest) server. However this approach is often defeated when a large portion of users are using GoogleDNS and OpenDNS and all of those requests come from a specific IP range. As this technology takes hold, it should make it possible for the Authoritative DNS servers to target the user rather than the Recursive DNS Server, resulting in more accurate results.
  • Internet Engineering Task Force Draft Specification
  • This change has already started effecting users, many users of services such as iTunes had complained of much slower download speeds when using Google or Open DNS. This was a result of being sent to a far-away node, and that node getting a disproportionate amount of the total load. Now that this DNS extension has started to come online and is backed by a number of major CDNs, it should alleviate the problem.
  • ScaleEngine is in the process of implementing this, and already has some test edns enabled authoritative name servers online.
    * Compromised

  • Attackers were able to compromise a number of machines
  • Attackers appear to have compromised a single user account, and then through unknown means, gained root access.
  • Attackers replaced the running OpenSSH server with a trojaned version, likely leaking the credentials of users who authenticated against it.
  • is working with the 448 people who have accounts there, to replace their passwords and SSH keys.
  • The attack was only discovered due to an extraneous error message about /dev/mem
  • Additional Article


Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and have given one possible answer each week, for the last few weeks. This weeks solution is Anycast. This is by far the most complicated and resource intensive solution, but it is also the most scalable. Standard connections on the Internet are Unicast, meaning they go from a single point to another single point (typically, from a client to a specific server). The are also Broadcast (send to all nodes in the broadcast domain, such as your local LAN), and Multicast (send to a group of subscribed peers, used extensively by routers to distribute routing table updates, but does not work on the Internet). Anycast is different than a Unicast, instead of sending the packet to a specific host, the packet is sent to the nearest host (in network terms, hops, not necessarily geographic terms). The way Anycast works is your BGP enabled routers broadcast a route to your subnet to the Internet from each of the different locations, and the other routers on the Internet update their routing tables with the route to the location that is the fewest hops away. In this way, your traffic is diverted to the nearest location. If one of your locations goes down, when the other routers do not get an update from the downed router, they automatically change their route to the next nearest location. If you want only fail over, and not to distribute traffic geographically, you can have your routers prefix their routes with their own AS number a sufficient number of times to make the backup location always more hops than the main location, so it is only used if the main is down. There are some caveats with this solution, the first being that TCP packets were never meant to randomly redirect to another location, if a route change happens in the middle of an active session, that session will not exist at the second location, and the connection will be dropped. This makes Anycast unsuitable for long-lived connections, as routes on the Internet change constantly, routing around faults and congestion. Connections also cannot be made outbound from an Anycast IP, as the route back may end up going to a different server, and so a response will never be received, so servers would require a regular Unicast address, plus the Anycast address. A common solution to overcome the limitations of Anycast, is to do DNS (which is primarily UDP) via Anycast, and have each location serve a different version of the authoritative zone, which the local IP address of the web server, this way the users are routed to the nearest DNS server, which then returns the regular IP of the web server at the same location (this solution suffers from the same problems mentioned above in the Google DNS story). Another limitation is that due to the size of the address space on the Internet, most provides will not accept a route for a subnet smaller than a /24, meaning than an entire 256 ip address subnet must be dedicated to Anycast, and your servers will each require a regular address in a normal subnet. Broadcasting routes to the Internet also requires your own Autonomous System number, which are only granted to largish providers, or an ISP willing to announce your subnet on their AS number, but this requires a Letter of Authorization from the owner of the IP block.



Written by chris

September 2nd, 2011 at 12:42 am

The Techie Geek – Episode 53 – Show Notes

without comments




Email me at russ AT thetechiegeek DOT com
Leave me a voice mail at 1-206-338-4483

GotoMeeting Hold your meetings online for just $49/mo. Try GoToMeeting FREE for 30 days helps your un-needed Linux box find a needy home

Google DNS servers are at and
OpenDNS servers are at and
MyDefrag was formerly known as JKDefrag
Ars Technica, GigaOM, and Wired are great sites for Tech News
Free AVIRA won the top rating for Anti-Virus and Anti-Malware from this Ars Technica article
Untangle open source network gateway
ClearOS is an integrated software distribution that includes everything for a small IT environment
Some command line tips for ‘grep’, ‘find’, and ‘locate’ here and here
DefCon17 audio feed, slides feed, and video with slides feed
I had a great time at the Holiday Geeknic at the Pinball Parluor and The Perk
It was great to meet with Steve Cherubino and Steve D’Amico from the Nutz at Night podcast

Check out these great podcast sites: and

Written by Russ Wenner

December 13th, 2009 at 8:26 am


without comments

An overview and review of the openDNS service

You can watch the video with all the visuals, or download the audio version below:

Save 10% on any order at!

Looking for a downloadable and portable version? Subscribe to the IN DEPTH RSS Feed.

Catch videos as they are released over at our YouTube channel.

Written by

December 20th, 2008 at 10:56 am