injecting a temp entry into dns cache

2013-02-02 Thread Veaceslav Revutchi
There is a credit union website that our users access from work and
their dns has been broken for the past few days where the www. version
works,  but the plain name (without the www.) points to some old IP
that's not responding. Tried to call them and all I got was that they
know they have some kind of problem, but they ask users to type www.
in their browser until it's resolved.

In situations like this I would like to be able to inject an entry
into the cache on our recursive resolvers and point it to the correct
IP until the domain
owner fixes the problem (poison my own cache so to speak). Is this
something that can be done with bind without having to create a zone
for the broken domain and make our servers act as authoritative for
it?

Thank you,
Slava
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: high volume from outside our networks question

2013-02-02 Thread Beavis
Rich,

I suggest the following

minimal-responses yes; - set this global
blackhole { address_match_list }; - use the address_match_list file on
your pf.conf (freebsd)

with this combo, your bind should refuse queries when it's out-of-zone.

additional-from-auth yes;
additional-from-cache no;


goodluck,
-Beavis

On Wed, Jan 30, 2013 at 3:02 PM, rich carroll  wrote:
> Currently our ISP's bind9 server is experiencing a lot of traffic. It looks
> like we are being used to attack ip addresses. We do have our own domains
> that host as well as resolving for our customers.
>
> I have an acl for our subnets and we allow-recursion and allow-query-cache
> for those subnets. The IP's of the abusing servers are outside of our
> networks.
>
> My assumption was that if the query came from outside our networks and it
> wasn't for one of our domains then there wouldn't be a response, but this
> isn't the case.
>
> If I go outside our network and do a "dig google.com @ourDNSserver" I get:
>
> ; <<>> DiG 9.6.-ESV-R3 <<>> google.com @ns1.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23403
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;google.com.IN  A
>
> ;; AUTHORITY SECTION:
> com.172800  IN  NS  a.gtld-servers.net.
> com.172800  IN  NS  h.gtld-servers.net.
> com.172800  IN  NS  l.gtld-servers.net.
> com.172800  IN  NS  d.gtld-servers.net.
> com.172800  IN  NS  c.gtld-servers.net.
> com.172800  IN  NS  i.gtld-servers.net.
> com.172800  IN  NS  m.gtld-servers.net.
> com.172800  IN  NS  b.gtld-servers.net.
> com.172800  IN  NS  j.gtld-servers.net.
> com.172800  IN  NS  f.gtld-servers.net.
> com.172800  IN  NS  e.gtld-servers.net.
> com.172800  IN  NS  g.gtld-servers.net.
> com.172800  IN  NS  k.gtld-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net. 172800  IN  A   192.5.6.30
> a.gtld-servers.net. 172800  IN  2001:503:a83e::2:30
> b.gtld-servers.net. 172800  IN  A   192.33.14.30
> b.gtld-servers.net. 172800  IN  2001:503:231d::2:30
> c.gtld-servers.net. 172800  IN  A   192.26.92.30
> d.gtld-servers.net. 172800  IN  A   192.31.80.30
> e.gtld-servers.net. 172800  IN  A   192.12.94.30
> f.gtld-servers.net. 172800  IN  A   192.35.51.30
> g.gtld-servers.net. 172800  IN  A   192.42.93.30
> h.gtld-servers.net. 172800  IN  A   192.54.112.30
> i.gtld-servers.net. 172800  IN  A   192.43.172.30
> j.gtld-servers.net. 172800  IN  A   192.48.79.30
> k.gtld-servers.net. 172800  IN  A   192.52.178.30
> l.gtld-servers.net. 172800  IN  A   192.41.162.30
>
> ;; Query time: 2 msec
> ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> ;; WHEN: Wed Jan 30 14:50:32 2013
> ;; MSG SIZE  rcvd: 500
>
> Is it supposed to work like this? We are getting 100-600 of these a second.
> Most are looking up isc.org. They are more then likely spoofed IP's and
> someone is using our servers to attack people.
>
> I spent some time doing google searches and mostly found that you need to
> make sure you are only doing recursive lookups for your network, but that
> hasn't solved our issue if we are still sending out responses.
>
> --
> Richard Carroll
> richcarr...@gmail.com
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Disclaimer:
http://goldmark.org/jeff/stupid-disclaimers/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: injecting a temp entry into dns cache

2013-02-02 Thread Jeff Reasoner
Interesting. Intentionally "poison" your own cache so your users aren't
inconvenienced by anothers misconfiguration. Not sure how you go about
doing that on box. Perhaps bigger brains on this list can say.

I have had occasion to forge answers locally as an immediate fix for
name resolution issues which caused significant operational problems.

I elected to add the zone in named.conf and answer the query correctly
(and authoritatively) until I could get the owner to correct things. You
will probably need to add other zone records too - MX and any other A
records you can think to search for.

Personally, I wouldn't consider doing something like that in this
situation as you've described. However, mere inconvenience as I perceive
it may be significant your view. 

On Sat, 2013-02-02 at 16:41 -0500, Veaceslav Revutchi wrote:
> There is a credit union website that our users access from work and
> their dns has been broken for the past few days where the www. version
> works,  but the plain name (without the www.) points to some old IP
> that's not responding. Tried to call them and all I got was that they
> know they have some kind of problem, but they ask users to type www.
> in their browser until it's resolved.
> 
> In situations like this I would like to be able to inject an entry
> into the cache on our recursive resolvers and point it to the correct
> IP until the domain
> owner fixes the problem (poison my own cache so to speak). Is this
> something that can be done with bind without having to create a zone
> for the broken domain and make our servers act as authoritative for
> it?
> 
> Thank you,
> Slava
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: injecting a temp entry into dns cache

2013-02-02 Thread Vernon Schryver
> > There is a credit union website that our users access from work and
> > their dns has been broken for the past few days where the www. version

> From: Jeff Reasoner 

> I elected to add the zone in named.conf and answer the query correctly
> (and authoritatively) until I could get the owner to correct things. You
> will probably need to add other zone records too - MX and any other A
> records you can think to search for.

> Personally, I wouldn't consider doing something like that in this
> situation as you've described. ...

On my own computers and for my own busines, I add temporary lines
to /etc/hosts every few months to deal with such problems.  However,
hacking a financial institution by publishing false DNS data to
third parties (including employees) would promise too much excitement
and too little profit for my tastes, especially after talking about
the crime in public.  I doubt that I could convince a court of
technical facts or that I was doing the credit union a favor.  The
credit union would probably convince the authorities (including the
newly sprouting bureaucracy run by the same people who are in charge
of the TSA) that I was responsible for the whole mess from the
beginning.

Besides, do you really want to help drive business to that kind of
financial institution?  If its trivial records like DNS are a persistent
mess, what about the complicated banking records required by law?

If it were competent, the credit union would be using DNSSEC, which
make a local DNS zone useless.


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: injecting a temp entry into dns cache

2013-02-02 Thread Eliezer Croitoru

Hey Slava,

You can use a small DNS proxy that will forge only this specific record 
while for others it will just pass it.

By adding a forward DNS zone and add the proxy as the forward DNS server.

This is *not* recommended but these are the tools you have.
If the DNS proxy is not the well written your users will have troubles.

On 2/2/2013 11:41 PM, Veaceslav Revutchi wrote:

There is a credit union website that our users access from work and
their dns has been broken for the past few days where the www. version
works,  but the plain name (without the www.) points to some old IP
that's not responding. Tried to call them and all I got was that they
know they have some kind of problem, but they ask users to type www.
in their browser until it's resolved.

In situations like this I would like to be able to inject an entry
into the cache on our recursive resolvers and point it to the correct
IP until the domain
owner fixes the problem (poison my own cache so to speak). Is this
something that can be done with bind without having to create a zone
for the broken domain and make our servers act as authoritative for
it?

Thank you,
Slava


--
Eliezer Croitoru
http://www1.ngtech.co.il
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users