Ted Mittelstaedt wrote:

-----Original Message-----
From: Jon Radel [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 11, 2008 6:15 AM
To: Ted Mittelstaedt
Cc: Wojciech Puchar; freebsd-questions@freebsd.org
Subject: Re: OT: lots of IPv6 DNS requests

Ted Mittelstaedt wrote:

-----Original Message-----
[mailto:[EMAIL PROTECTED] Behalf Of Jon Radel
Sent: Tuesday, June 10, 2008 4:02 PM
To: Wojciech Puchar
Cc: freebsd-questions@freebsd.org
Subject: Re: OT: lots of IPv6 DNS requests

Nameservers are hitting an address of yours. Therefore something is probably handing out your address. Somebody (that would be me) has looked up the address in question and even looked up the nameserver which is handing out that address in a glue record.
A simple problem EASILY solved.

Why bother the owner of the misconfigured nameserver?

Instead, simply insert a wildcard record to your namesever
that hands out the IP number of the nastiest porno site you
can find to any DNS query.

After a few days the owners of the misconfigured nameservers
or clients will go hunting for whatever is poisoning their cache.

Problem solved.

Silly me, I've always believed that people setup nameservers because they want their resources to be found. Having one the parents of your zone point to a random machine of yours,

It seemed that the OP's claim was that he had NOT asked the
parents of his domain to point any nameserving to his machine.

Yes. And I pointed out that he was WRONG, including in the message you responded to. I went so far as to send dig output showing the glue record that was causing his grief.

It used to be that people would at times use random nameservers
on the Internet that they discovered, rather than using their
own ISP's nameserver.  The advent of IP-based filtering for
BIND which allows you to specify only non-recursive queries to
be answered from IP blocks that are not your own, pretty much put
a stop to that.  But for whatever reason, sometimes you can't
employ IP-based filtering, and you have to setup a nameserver
to answer recursive queries from anyone, even though you may
still only want the world to be making non-recursive queries
to it.

True, but quite beside the point. Anyway, those pesky people would quickly leave a server that denied all their requests alone, and if you'd actually read what the OP posted, you'd have noticed the "denied" at the end of every line from his logs that he found so disturbing.

The suggestion to use wildcards to issue bogus responses is
the general suggestion to "convince" goofballs on the Internet
that happen to come across your recursive-query-responding
nameserver that you do not want them to use to make recursive
queries, to go elsewhere.

Understood, true, but quite beside the point.

Obviously if you intentionally are listing your nameserver in
a parent zone, and you employ this trick, you will need to
setup a new nameserver on a different IP and change the parent

I figured though, that anyone who knew what they were doing
would have grasped that concept, however.

You'd think, wouldn't you?

which you then use to serve crap records, strikes me as somewhat counterproductive. And I really fail to see why whomever runs the parent zone would even notice.

The OP claimed that he was getting an excessive number of
DNS requests, implying that his parent was redirecting a lot
of queries to him that he wasn't supposed to get.  If his
parent is doing that because they misconfigured their own nameserver,
then anyone depending on their nameserver will get crap records
back, and likely complain.

He made no such claim at any time (at least in any e-mail that reached me privately or via the list). He was confused as to why random machines where hitting his closed nameserver at all.

Do you honestly think lots of people are going to gang up on whomever runs his parent zone when they stop getting mail from the OP? Those that noticed would probably sigh a little sigh of relief that they'd no longer have to see the OP and me fussing at each other.

I think the issue is that you are assuming his parent zone
admins are doing the Correct Thing when they have configured
their own nameservers.  The OP was insistent that his parent
zone admins were doing the Wrong Thing when they configured
their own nameservers.  Thus, my suggestion is essentially telling
the OP that if he is so insistent that his parents are screwed
up, then he can put his money where his mouth is and wildcard
a porno site.

Wow. You really have problems with reading comprehension, don't you? You have that more or less backwards.

As we saw by his response to my suggestion, when the OP was
challenged to do this, he rapidly backwatered.  Since backwatering
he no longer can claim (at least on this list) that his parent
admins are idiots, and thus I assume is now open to examining
his own config a bit more closely.  (which is what you were
telling him to do all along)

No, I was pointing him to the parent which was handing out the glue record with the address he kept claiming couldn't possibly be being made public by anybody. I have no reason to suspect a problem with his configs and never said or hinted at such a thing in any way.

Sometimes if you want the horse to drink, you have to let them
run in the opposite direction of the pond.


OK, folks, I promise, given that this has sunk well into chat territory, I'm done responding on the list on this topic. I was sucked in originally by the OP posting my DNS server's IP address in a query, and it appears that the OP has finally taken the time to grasp the answer I kept giving him, so I'm going to move on. Feel free to send me love notes privately.

--Jon Radel

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to