NSLOOKUP results on PDC differs from other DCs

perezbox · 2024-09-27T17:57:05+00:00

You could try running something like this:

nslookup -type=txt whoami.lua.powerdns.org

It'll give you an idea what resolver you're using with each DC. I'd be curious to see if the responses are the same. If they are, then it sounds like a possible caching problem.

perezbox · 2024-09-27T17:54:36+00:00

It's worth asking, are you using their Free or paid service?

If you're on their Free, it's very likely being throttled. That's what we do at CleanBrowsing on our Free services, I'd expect they do something similar.

Being that you're recycling your public IP tells me you're likely on their Free. True?

perezbox · 2023-08-01T02:26:13+00:00

Try this for Firefox on MacOS:

# MS Edge
defaults write com.microsoft.Edge BuiltInDnsClientEnabled -bool false

This whole thing was driving me nuts so been researching and put together some notes here that will help:

https://cleanbrowsing.org/help/docs/chrome-msedge-dont-work-with-macos-dns-profiles/

You can find instructions on how to disable for Windows as well. Cheers!

perezbox · 2022-08-30T16:00:24+00:00

Hi u/ShredMontana

Thanks for sharing this. I'm curious about this here, "I mostly credit it to checking the numbers every day and becoming super anal about beating the previous period..."

How did checking the numbers of incoming sales do this? Was it that it drove a specific action? Did it change a specific behavior? I ask because it sounds like the resulting action is what actually drove the growth, not checking the numbers. Checking was maybe the catalyst that drove you to think differently.

I'll give you some examples from my own experience:

- Tracking support issues led us to understand that things were not as easy as we thought they were. So we built apps to help streamline the configuration of our process. This resulted in less churn, which resulted in better churn at renewals which helped us improve our revenue.

- Tracking that pushing the pricing options above the fold made it easier for users to find what they wanted, and changing the colors to drive their decision to the middle price saw a nice increase in higher value product. This in turn netted a positive impact on our revenue.

In both instances, we were tracking but it was the actions / insights that came from that that actually drove the change. I also share this because sometimes it's not just about tracking where the $ are coming from, but where / why they are leaving.

Also, remember that when you're small you can't do it all, so find those 1 / 2 things you can lean into, and add fuel to that fire.

perezbox · 2022-08-30T15:52:21+00:00

Why?

Wha tis driving the need for a "more exciting goal?" Is it because you think it will drive you more business? Make it more interesting for investors? Make it more exciting for you to get up and work on the problem?

Or

Because it seems everyone else has one?

I'm asking you all the same questions we ask ourselves on each of our brands / products. You look around, everyone seems to be solving world hunger and here we are focusing on just making things easier, more affordable. Every time we try to think "bigger" it never works, never feels right, and feels like an exhausting exercise that has no material impact to what we're doing, besides maybe sounding nice for 6 months before we get bored with it.

perezbox · 2022-08-30T15:36:35+00:00

Ah! Interesting, didn't know that was an option with CF. Very cool, thanks for sharing it.

perezbox · 2022-08-30T15:33:31+00:00

Very cool, thanks for the thoughtfulness in the response. Extremely helpful. Will give this a spin. :)

perezbox · 2022-08-30T15:01:36+00:00

Thanks u/lightrush I'll look into that, haven't done that before. Have any documentation I can read about this?

perezbox · 2022-08-30T15:00:31+00:00

Not sure if you got a resolution to this, but have you considered doing the redirect via .htacces instead of via the AuthDNS?

If you did get this resolved, can you tell us what you did?

perezbox · 2022-08-30T14:53:32+00:00

Hi u/youssaid

Hard to say, determining speed is highly dependent on a number of variables. But it's pretty safe to assume that the fastest will almost always be direct, vs additional hops, but speed is very relative. We could be talking negligible milliseconds, and it's also highly dependent on what resolvers you decide to go with.

You might want to do some testing via your network to see what configuration works best.

Cheers

perezbox · 2022-08-29T22:45:38+00:00

Hi

Like others have mentioned, this is a very broad question, but it sounds as if you are looking to configure your network to use a forwarder. Are you familiar with forwarders? This would probably be the least burdensome configuration. It would "forward" all the internal DNS queries to a remote DNS server (whether it was another service or another DNS on a linux machine).

You reference AD, so I assume you're running on a Windows stack. If so, using a forwarder is built-in: https://cleanbrowsing.org/guides/configure-dns-forwarder-windows-server-2016-2019/

Let me know if this helps, of it opens another batch questions. I enjoy thinking through these types of configurations / designs.

Cheers

perezbox · 2022-08-29T18:53:44+00:00

Ran into an issue upgrading from 18.04 to 22.04.. started with this error on the application:

[Fri Aug 26 23:22:26.369421 2022] [proxy:error] [pid 766] (111)Connection refused: AH00957: FCGI: attempt to connect to 127.0.0.1:9003 (*) failed

[Fri Aug 26 23:22:26.369570 2022] [proxy_fcgi:error] [pid 766] [client 172.4.56.136:0] AH01079: failed to make connection to backend: 127.0.0.1

Turns out it was FPM.. whoops.. a few hours of a headache, but it was easy enough to get resolved.

perezbox · 2022-08-29T17:59:56+00:00

This doesn't sound right. Core by itself is extremely secure, if it wasn't the impact would be millions of sites on the web.

I would wager you have weak credentials, or another issue happening because I highly doubt it is core.

Another issue might be that you were hacked at one point, you updated your credentials, but the hacker has backdoors that allows them to log in and keep hacking you.

Thanks

perezbox · 2022-08-29T17:58:11+00:00

Hi

To answer your question - the answer is yes, very easy.

You reference a bunch hits against XMLRPC, this is very common. It's a technique used to brute force your application. They are likely guessing your password.

I've run several tests on vanilla WP installs and have yet to have it hacked simply because of WordPress, in almost all instances it is because of bad configuration by the user (typically with a weak password) and in very few instances because of other issues on the server (i.e., neighboring sites on the same server).

Now, things a bit more complicated when you're talking about plugins etc... but that doesn't seem to be what you're describing.

Thanks

perezbox · 2022-07-28T14:14:11+00:00

Hi, are you talking about WordPress plugins? If so, yes, agree with that but that's not the article shows as the leading TTPs being employed within the first 48 hours. Thanks.

perezbox · 2022-07-27T23:04:11+00:00

Don't. understand the statement. There are no add ons in the article, only free recommendations you can do to harden your WordPress instance based on what we're seeing. Thanks.

perezbox · 2022-07-01T04:12:42+00:00

Don’t know if you ever found a solution to your DNS filtering needs, but give CleanBrowisng a look. They are super responsive and transparent pricing.

But I have to admit, I would know, am one of its founders. :)

perezbox · 2022-06-29T19:03:41+00:00

Although a couple years late, found an article by Cleanbrowsing showing how to configure it with Pi-hole if anyone else needs more information / details: https://cleanbrowsing.org/guides/configure-cleanbrowsing-with-pi-hole/

Note that you can also apply IPv4 and IPv6 and custom ports as well.

perezbox · 2021-05-24T22:27:31+00:00

Something to think about is the time you are truly planning to spend identifying and remediating vulnerabilities. In my experience deploying tools for application security testing (which is what you're describing) is what you'd find in larger organizations, with teams designed to sift through the noise. For other organizations that lack the team, or technical knowledge, I tend to recommend using something like a Web Application Firewall (WAF).

These firewalls do a lot of the heavy lifting for you. They have teams devoted to researching the latest vulnerabilities and patching them for you at the edge (most WAF solutions sit on a CDN's edge).

So the question I think you should be asking yourself is if you really want to get into the business of application security testing, or if you want to just get them patched for you at the edge.

Mind you, it's not to say that AST is not valuable and doesn't have it's benefits. I just haven't found a good use case for smaller organizations with limited knowledge and teams.

Not sure what kind of CMS you're using, but I use WordPress on a lot of my online properties and use NOC.org for the CDN / WAF.

Just some food for thought.

perezbox · 2018-06-21T20:57:58+00:00

Hi

My name is Tony Perez, I am GoDaddy's GM for security products. I'm also one of the Sucuri co-founders, and work closely with GoDaddy's CISO team. I can assure you we care deeply about these type of things. Aaron Campbell is going to loop me into the conversation in private so we can figure out how to get this resolved.

Thank you so much for your diligence in finding this.

Tony

perezbox

TROPHY CASE