I brought this up a few months back. For me, it is getting worse, and
I am not able to come up with a solution.
I have many clients who reg domains. They all point to my NS.
Sometimes, the client lapses hosting with me, and I delete the zones.
They usually leave the domain reg'd and my NS's listed.
I also have other clients who register thousands of domains, some get
used, some do not. In the end, I am listed as an NS. Going back to
clients and asking them to delete the NS from their registrar; it just
is not going to happen. I do not always know, so to add a zone, can
not happen, and even then, I have to add a wildcard for them all to
resolve them.
I have heard varying levels of disapproval for wildcards to solve this
as well.
The problem is with openDNS, which grows every day. If one uses them
as a rr, when someone requests a domain that is not setup, openDNS
will make around 50 requests for that domain. Then the browser will
inject www. to the domain, and it asks for another 50. Add in spam
for MX's and any number of other requests, and I have on average, 40
queries per second.
When it gets really bad, is a heavily used domain that the client lets
go, where there are img src links in a forum, which can get popular on
occasion.
I have tested this with my own NS, as the rr, and it makes 2 or 3
queries, sees there is no zone, and goes away. OpenDNS *never* caches
the result, and happily goes about this all day long.
My first question is, I assume they are ignoring some TTL, and in
doing so, are they in violation of any standard in this regard?
Second would be, is this exploitable as I think it is? In that, one
could enter any NS they want into their registrar, and create a
situation in which openDNS is used as a way to attack that NS.
Is there any way for me to locally block this act? I do not think
there is, aside from blocking openDNS, which would have negative
repercussions since they are used by so many people. Looking for
automated blocking, not to sit on my logs all day long.
For what it is worth, I did email them, first email was ignored,
second email was not understood and they told me they did not support
grep, which I was simply using to extract the number of lines in my
log to show them the issue. My reply to that, was ignored as well.
To be honest, if I wanted to make named behave this way, I would not
even know how to do so, I would certainly have to take effort to try.
This represent the last 4 hours of my query log, for one domain that
is not even the best example. I have my logs set to 10M, and this
case already caused a roll of the logs in only 4 hours:
grep -i 'juliansummerhill.com' query.log | wc -l
1289
Thanks for any pointers and eduction on this issue.
--
Scott
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
