Re: What are these Google IPs hammering on my DNS server?

Mon, 04 Dec 2023 19:18:45 -0800 

On Mon, 4 Dec 2023, Damian Menscher wrote:

have more redundancy/capacity).  Based on these estimates, we haven't
treated mitigation of small attacks as a high priority.  If O(25Kpps)
attacks are causing real problems for the community, I'd appreciate that
feedback and some hints as to why your experience differs from the ISC BIND
load-tests.


Thanks for your note.


Here's my problem, which I freely admit puts me way out at the tail of the 
weird curve.  I run abuse.net which lets you look up abuse reporting 
addresses for domains.  If you look up, say, bt.co.uk or mail.bt.co.uk, 
it'll look the domain up in its internal database and tell you to send 
reports to ab...@bt.com.



I provide lookups via a web site and a whois server, but it occurred to me 
a while ago that it'd be much faster for everyone if I made a stunt DNS 
server that does the lookups and synthesizes the answers, e.g.:


$ dig mail.bt.co.uk.contacts.abuse.net txt

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mail.bt.co.uk.contacts.abuse.net. IN   TXT

;; ANSWER SECTION:
mail.bt.co.uk.contacts.abuse.net. 43200 IN TXT  "ab...@bt.com"


The DNS server is a perl script I wrote a while ago that synthesizes 
answers on the fly.  It can't be a normal DNS server because the mapping 
from queries to responses is more complex than you can express with DNS 
wildcards, and if a domain isn't in the database it returns a default of 
abuse@<domain>.



I have two servers on two networks and normally it works fine until some 
nitwit does a query flood, probably looking up every domain in every 
message they see, or maybe an inept listwasher, and the two little perl 
scripts just can't keep up.



What I would like is if large public DNS systems like yours refused to 
look up anything in contacts.abuse.net, and I tell people that if they 
want to use the DNS lookup, use your own DNS cache, similar to what DNSBLs 
do.



I suppose I could try and do a split horizon hack on the parent server 
(abuse.net itself is on ordinary NSD servers) and say the NS for 
contacts.abuse.net is at 127.0.0.1, but as we've seen it's a challenge 
keeping track of all the places your queries can come from.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly























					Reply via email to