From owner-freebsd-questions@FreeBSD.ORG Wed Jun 11 15:35:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4B79106567F for ; Wed, 11 Jun 2008 15:35:05 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 548558FC12 for ; Wed, 11 Jun 2008 15:35:05 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDSK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id m5BFZ3o1005897; Wed, 11 Jun 2008 08:35:04 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Jon Radel" Date: Wed, 11 Jun 2008 08:36:05 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 In-Reply-To: <484FCFEF.5000109@radel.com> Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.freebsd-corp-net-guide.com [65.75.192.90]); Wed, 11 Jun 2008 08:35:04 -0700 (PDT) Cc: freebsd-questions@freebsd.org Subject: RE: OT: lots of IPv6 DNS requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2008 15:35:05 -0000 > -----Original Message----- > From: Jon Radel [mailto:jon@radel.com] > Sent: Wednesday, June 11, 2008 6:15 AM > To: Ted Mittelstaedt > Cc: Wojciech Puchar; freebsd-questions@freebsd.org > Subject: Re: OT: lots of IPv6 DNS requests > > > Ted Mittelstaedt wrote: > > > > > >> -----Original Message----- > >> From: owner-freebsd-questions@freebsd.org > >> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Jon Radel > >> Sent: Tuesday, June 10, 2008 4:02 PM > >> To: Wojciech Puchar > >> Cc: freebsd-questions@freebsd.org > >> Subject: Re: OT: lots of IPv6 DNS requests > >> > > > >> Nameservers are hitting an address of yours. Therefore something is > >> probably handing out your address. Somebody (that would be me) has > >> looked up the address in question and even looked up the nameserver > >> which is handing out that address in a glue record. > > > > A simple problem EASILY solved. > > > > Why bother the owner of the misconfigured nameserver? > > > > Instead, simply insert a wildcard record to your namesever > > that hands out the IP number of the nastiest porno site you > > can find to any DNS query. > > > > After a few days the owners of the misconfigured nameservers > > or clients will go hunting for whatever is poisoning their cache. > > > > Problem solved. > > > > Ted > > Silly me, I've always believed that people setup nameservers because > they want their resources to be found. Having one the parents of your > zone point to a random machine of yours, It seemed that the OP's claim was that he had NOT asked the parents of his domain to point any nameserving to his machine. It used to be that people would at times use random nameservers on the Internet that they discovered, rather than using their own ISP's nameserver. The advent of IP-based filtering for BIND which allows you to specify only non-recursive queries to be answered from IP blocks that are not your own, pretty much put a stop to that. But for whatever reason, sometimes you can't employ IP-based filtering, and you have to setup a nameserver to answer recursive queries from anyone, even though you may still only want the world to be making non-recursive queries to it. The suggestion to use wildcards to issue bogus responses is the general suggestion to "convince" goofballs on the Internet that happen to come across your recursive-query-responding nameserver that you do not want them to use to make recursive queries, to go elsewhere. Obviously if you intentionally are listing your nameserver in a parent zone, and you employ this trick, you will need to setup a new nameserver on a different IP and change the parent zone. I figured though, that anyone who knew what they were doing would have grasped that concept, however. > which you then use to serve > crap records, strikes me as somewhat counterproductive. And I really > fail to see why whomever runs the parent zone would even notice. The OP claimed that he was getting an excessive number of DNS requests, implying that his parent was redirecting a lot of queries to him that he wasn't supposed to get. If his parent is doing that because they misconfigured their own nameserver, then anyone depending on their nameserver will get crap records back, and likely complain. I think the issue is that you are assuming his parent zone admins are doing the Correct Thing when they have configured their own nameservers. The OP was insistent that his parent zone admins were doing the Wrong Thing when they configured their own nameservers. Thus, my suggestion is essentially telling the OP that if he is so insistent that his parents are screwed up, then he can put his money where his mouth is and wildcard a porno site. As we saw by his response to my suggestion, when the OP was challenged to do this, he rapidly backwatered. Since backwatering he no longer can claim (at least on this list) that his parent admins are idiots, and thus I assume is now open to examining his own config a bit more closely. (which is what you were telling him to do all along) Sometimes if you want the horse to drink, you have to let them run in the opposite direction of the pond. Ted