Project Titan by Verisign

A huge project is now taking place globally - the Project Titan by Verisign.
Project Titan is to expand the critical infrastructure both in scale and location globally and investment in engineering, monitoring and new proprietary security systems and processes to manage Internet traffic.

By 2010 VeriSign will increase its daily DNS query capacity tenfold from 400 billion queries a day currently to 4 trillion queries a day. It will also scale its proprietary systems to increase its bandwidth capacity ten times from more than 20 gigabits per second (Gbps) to greater than 200 Gbps. By distributing its infrastructure, the .com and .net systems will have greater redundancy and reduced latency, which will improve the experience for users by reducing bottlenecks and increasing speed. The state-of-the-art engineering enhancements to the system will create increased capability to track and correlate security and network related events on a global basis.


DNS zone transfer risk

With 7 years of experience in DNS, I always think that I am capable of configuring DNS server and zone records with high security protection. On security side, what I have done to the server and zone records under my administration include removing BIND version number; proper hostname for reverse IP lookup; only allow recursion for trusted IP addresses; disallow logging of lame server which might generate huge log. Today, on a random security check, I discovered that I had not banned arbitrary zone transfer. An attacker can use nslookup, set the server to my IP and then initiate "ls -d xxx.com" to see all the records. The bad guy of course know very well xxx.com is hosted in my IP address.

This is really a great risk. I have to plug the hole by changing the config file. I have written this down in my security handbook to remind myself not to make the same mistake again.


Facebook Blocking

Today, I blocked a person who tried to tag me as facebook friend. That guy uses facebook as a marketing tool to promote his company products. He arbitrarily picked usernames and attempt to tag. What a shame on him !

The guy also made a lot of mistakes in facebook. First, he does not have a profile picture. How could people recognize him. Second, he does not have any photo album. If people are interested in him, they would like to see his family photos or his photos at work. They want to know what life style he has.

I only add facebook friends in 5 categories :

1. members of the IT sector
2. members of the information security field.
3. people in the telecom field
4. gym friends
5. past colleagues who have left me.


昂坪 360 光纖電纜損毀

昨天的大雨令昂坪 360 光纖電纜損毀,影響纜車操作的訊號傳送,導致服務要暫停數天。

我不禁想,為甚麽興建昂坪 360 纜車系統時,沒有設置後備光纖電纜,以應付緊急事故。後備光纖電纜是須行經不同的路線,避免工作和備用光纖電纜同時受到損壞。看來昂坪 360 的管理層急需亡羊補驢了。


Celebrating the 25th anniversary of DNS

DNS, the distributed architecture of resolving an Internet domain name to an IP address , was invented 25 years ago. I wouuld say DNS is the most important application ever built in the Internet. Without that, web browsing, sending of email, online chat, MSN etc will all fail.

Today, DNS serves more than just look up domain names into IP addresses. There are other sophisticated functions served by DNS :

1. Routing mail by means of MX records
2. Backing up email delivery by way of preference level in MX records
3. Suppressing spam by way of Sender Policy Framework and Domain Keys
4. Suppressing spam by way of reverse IP lookup
5. Load balancing and server distributions by way of DNS round robin
6. Supporting VOIP by way of ENUM

Anymore ? There should be some more …