For business and security reasons, Karmasphere prohibits anonymous queries. Consequently, all network queries are authenticated either with IP address or username/password credentials.
IP address authentication works with every query protocol. In some cases, where you don't know the IP address of the source of a reputation query, it may be preferable to use username/password authentication.
That's when we guess who you are based on the IP address sending the query. You tell us which IP addresses you query from, and we figure that any queries from those IP addresses come from you.
IP authentication is the only form of authentication available for DNS queries. It is also supported for BQueries and XML/RPC queries.
That's when you encode your assigned username and password into the BQuery packet itself, in the "auth" field.
When a BQuery shows up with the "auth" field, we don't bother looking at the IP address.
Some client libraries and plugins use slightly different terminology. Where they say "Principal", read "username". Where they say "Credentials", read "password".
At the page called My IPs and Credentials.
The password is different from the password you use to sign in. It is a randomly generated string. When you query the system, and use username/password authentication, you want to use this string, not the password for signing in.
In a DDOS scenario, we would be unable to distinguish legitimate queries from an attack. Also, certain data sources restrict access to licensed users; authentication allows us to implement access control accordingly.
The XML/RPC interface is really just a wrapper around the BQuery interface. Use the same username and password you would use for BQuery.
DNS queries do not have room for a username/password pair. Instead, we match the source IP of your DNS query against the IP addresses you configure. If a DNS query comes from an IP address you have explicitly blessed, we honor it. If a DNS query comes from an IP address that nobody has blessed, we reject it.
Note: BQueries coming from blessed IPs are allowed to omit query credentials. But we ask that you please use a username/password even from blessed IPs.
No. You can reset it, but you cannot choose it.
For karma-publish, use the email address and password you use to log in to the website.
For performance and portabiilty reasons, BQueries send the username/password pair over the network in the clear. If those credentials are sniffed, a replay attacker could initiate new queries under your name.
If queries used the same login name and password that you use to sign in to your account on the website, an attacker would be able to access your sensitive personal information.
Some users use the same password for multiple websites. If an attacker sniffed such a password, they would potentially be able to expose even more personal information elsewhere.
With these considerations in mind, we decided that using a separate password was the wiser course.
Even a hashed password is vulnerable to brute force cracking. Also, you might wish to change your website password without having to also update all your installed clients.
TLS over UDP is not widely supported, and while TLS over TCP is a possibility, the CPU burden would reduce throughput.
When our DNS servers see a request, they look up the querying client IP in our database of approved addresses.
If the client is approved, the response will be either 127.0.0.2 or NXDOMAIN.
If the client IP does not come from one of the IP ranges you've configured, the query will return RCODE5 REFUSED. Depending on how your resolvers are set up, if you have an intermediate caching nameserver, you may see a time out, or no response at all.
This is an example of a DNS query that fails because the querying client IP is not known to the server:
20070619-10:07:04 mengwong@newyears:~% dig 4.3.2.1.karmasphere.email-sender-ip.dnsbl.karmasphere.com @query.karmasphere.com ; <<>> DiG 9.3.4 <<>> 4.3.2.1.karmasphere.email-sender-ip.dnsbl.karmasphere.com @query.karmasphere.com ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2348 ;; flags: rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; Query time: 27 msec ;; SERVER: 64.71.160.12#53(64.71.160.12) ;; WHEN: Tue Jun 19 10:07:12 2007 ;; MSG SIZE rcvd: 12
Note the @query.karmasphere.com parameter: that tells dig to query the server directly rather than going through the nameservers defined in resolv.conf.
If your queries are timing out, then the authentication is not working.
There are a number of possible reasons for this.
If you recently updated your settings, it may take some time for all of our query servers to receive the new authorized ranges. Please try again in a few minutes.
The queries may be coming from an IP address other than the one you configured. Are you using your ISP's DNS resolver? If so, queries will appear to be coming from your ISP's DNS servers, rather than your machine directly. If you're running dig, remember to add a @query.karmasphere.com to the command line so queries go directly to us. Otherwise, queries will route through the nameservers specified in resolv.conf.