Date: Wed, 11 Jun 2008 12:03:54 -0400 From: Jon Radel <jon@radel.com> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-questions@freebsd.org Subject: Re: OT: lots of IPv6 DNS requests Message-ID: <484FF76A.6080501@radel.com> In-Reply-To: <BMEDLGAENEKCJFGODFOCOELOCFAA.tedm@toybox.placo.com> References: <BMEDLGAENEKCJFGODFOCOELOCFAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms090401000806000604030500 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Ted Mittelstaedt wrote: > > >> -----Original Message----- >> From: Jon Radel [mailto:jon@radel.com] >> Sent: Wednesday, June 11, 2008 6:15 AM >> To: Ted Mittelstaedt >> Cc: Wojciech Puchar; freebsd-questions@freebsd.org >> Subject: Re: OT: lots of IPv6 DNS requests >> >> >> Ted Mittelstaedt wrote: >>> >>>> -----Original Message----- >>>> From: owner-freebsd-questions@freebsd.org >>>> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Jon Radel >>>> Sent: Tuesday, June 10, 2008 4:02 PM >>>> To: Wojciech Puchar >>>> Cc: freebsd-questions@freebsd.org >>>> Subject: Re: OT: lots of IPv6 DNS requests >>>> >>>> Nameservers are hitting an address of yours. Therefore something is >>>> probably handing out your address. Somebody (that would be me) has >>>> looked up the address in question and even looked up the nameserver >>>> which is handing out that address in a glue record. >>> A simple problem EASILY solved. >>> >>> Why bother the owner of the misconfigured nameserver? >>> >>> Instead, simply insert a wildcard record to your namesever >>> that hands out the IP number of the nastiest porno site you >>> can find to any DNS query. >>> >>> After a few days the owners of the misconfigured nameservers >>> or clients will go hunting for whatever is poisoning their cache. >>> >>> Problem solved. >>> >>> Ted >> Silly me, I've always believed that people setup nameservers because >> they want their resources to be found. Having one the parents of your >> zone point to a random machine of yours, > > It seemed that the OP's claim was that he had NOT asked the > parents of his domain to point any nameserving to his machine. Yes. And I pointed out that he was WRONG, including in the message you responded to. I went so far as to send dig output showing the glue record that was causing his grief. > > It used to be that people would at times use random nameservers > on the Internet that they discovered, rather than using their > own ISP's nameserver. The advent of IP-based filtering for > BIND which allows you to specify only non-recursive queries to > be answered from IP blocks that are not your own, pretty much put > a stop to that. But for whatever reason, sometimes you can't > employ IP-based filtering, and you have to setup a nameserver > to answer recursive queries from anyone, even though you may > still only want the world to be making non-recursive queries > to it. True, but quite beside the point. Anyway, those pesky people would quickly leave a server that denied all their requests alone, and if you'd actually read what the OP posted, you'd have noticed the "denied" at the end of every line from his logs that he found so disturbing. > > The suggestion to use wildcards to issue bogus responses is > the general suggestion to "convince" goofballs on the Internet > that happen to come across your recursive-query-responding > nameserver that you do not want them to use to make recursive > queries, to go elsewhere. > Understood, true, but quite beside the point. > Obviously if you intentionally are listing your nameserver in > a parent zone, and you employ this trick, you will need to > setup a new nameserver on a different IP and change the parent > zone. > > I figured though, that anyone who knew what they were doing > would have grasped that concept, however. > You'd think, wouldn't you? >> which you then use to serve >> crap records, strikes me as somewhat counterproductive. And I really >> fail to see why whomever runs the parent zone would even notice. > > The OP claimed that he was getting an excessive number of > DNS requests, implying that his parent was redirecting a lot > of queries to him that he wasn't supposed to get. If his > parent is doing that because they misconfigured their own nameserver, > then anyone depending on their nameserver will get crap records > back, and likely complain. > He made no such claim at any time (at least in any e-mail that reached me privately or via the list). He was confused as to why random machines where hitting his closed nameserver at all. Do you honestly think lots of people are going to gang up on whomever runs his parent zone when they stop getting mail from the OP? Those that noticed would probably sigh a little sigh of relief that they'd no longer have to see the OP and me fussing at each other. > I think the issue is that you are assuming his parent zone > admins are doing the Correct Thing when they have configured > their own nameservers. The OP was insistent that his parent > zone admins were doing the Wrong Thing when they configured > their own nameservers. Thus, my suggestion is essentially telling > the OP that if he is so insistent that his parents are screwed > up, then he can put his money where his mouth is and wildcard > a porno site. Wow. You really have problems with reading comprehension, don't you? You have that more or less backwards. > > As we saw by his response to my suggestion, when the OP was > challenged to do this, he rapidly backwatered. Since backwatering > he no longer can claim (at least on this list) that his parent > admins are idiots, and thus I assume is now open to examining > his own config a bit more closely. (which is what you were > telling him to do all along) No, I was pointing him to the parent which was handing out the glue record with the address he kept claiming couldn't possibly be being made public by anybody. I have no reason to suspect a problem with his configs and never said or hinted at such a thing in any way. > > Sometimes if you want the horse to drink, you have to let them > run in the opposite direction of the pond. Giggle. OK, folks, I promise, given that this has sunk well into chat territory, I'm done responding on the list on this topic. I was sucked in originally by the OP posting my DNS server's IP address in a query, and it appears that the OP has finally taken the time to grasp the answer I kept giving him, so I'm going to move on. Feel free to send me love notes privately. --Jon Radel --------------ms090401000806000604030500 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC AvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTkyMVoX DTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx87Rf 0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF9qJ9 z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGbhHVv eAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw1ujk Rlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezri+BN kgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQIWYb 5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpqZ3iA /PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQpoZSZ jzCCAvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTky MVoXDTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx 87Rf0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF 9qJ9z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGb hHVveAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw 1ujkRlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezr i+BNkgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQ IWYb5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpq Z3iA/PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQp oZSZjzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbZOR8X/3dLH0sJ+2vLUPdjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wODA2MTExNjAzNTRaMCMGCSqGSIb3DQEJBDEWBBSi3LFN/NGx2zWMLG8AP3+/kkv5gzBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1 D3YwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEBBQAEggEAm3Hu VWK/rcdiVPunISMmUWM8vllEvgMaBms8BfrkGJXuaLp1L6mTj8/nr68Sh3pXR9X8C+4C7EV3 FfnYr4xyg7GzY2ssCPsX3glp12gQavr3barqHr5g1w9iEqckAaJuLZxm7yH3GakqSDH/4liD C76rVk5Cng/1vTDsn0DxJPNDWT7uDuefdnOX2+Phxwlph4IQQcTY6xJq9D4xB0+2X8aIW6hE IbmSPAEK/IF8oUwBRP6h0XaX6VPoFalcnjM7nLKYwQkOuCqxMQSy7u2hX54YQBrrj3UASX6Q /E1orYOv1YWBlU+aTVHMf8cHtbH7xZgDq4WL6cAlDQ2KnqlQ7QAAAAAAAA== --------------ms090401000806000604030500--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?484FF76A.6080501>