Ted Mittelstaedt wrote:
-----Original Message----- From: Jon Radel [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2008 6:15 AM To: Ted Mittelstaedt Cc: Wojciech Puchar; freebsd-questions@freebsd.org Subject: Re: OT: lots of IPv6 DNS requests Ted Mittelstaedt wrote:Silly me, I've always believed that people setup nameservers because they want their resources to be found. Having one the parents of your zone point to a random machine of yours,-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jon Radel Sent: Tuesday, June 10, 2008 4:02 PM To: Wojciech Puchar Cc: freebsd-questions@freebsd.org Subject: Re: OT: lots of IPv6 DNS requestsNameservers are hitting an address of yours. Therefore something is probably handing out your address. Somebody (that would be me) has looked up the address in question and even looked up the nameserver which is handing out that address in a glue record.A simple problem EASILY solved. Why bother the owner of the misconfigured nameserver? Instead, simply insert a wildcard record to your namesever that hands out the IP number of the nastiest porno site you can find to any DNS query. After a few days the owners of the misconfigured nameservers or clients will go hunting for whatever is poisoning their cache. Problem solved. TedIt seemed that the OP's claim was that he had NOT asked the parents of his domain to point any nameserving to his machine.
Yes. And I pointed out that he was WRONG, including in the message you responded to. I went so far as to send dig output showing the glue record that was causing his grief.
It used to be that people would at times use random nameservers on the Internet that they discovered, rather than using their own ISP's nameserver. The advent of IP-based filtering for BIND which allows you to specify only non-recursive queries to be answered from IP blocks that are not your own, pretty much put a stop to that. But for whatever reason, sometimes you can't employ IP-based filtering, and you have to setup a nameserver to answer recursive queries from anyone, even though you may still only want the world to be making non-recursive queries to it.
True, but quite beside the point. Anyway, those pesky people would quickly leave a server that denied all their requests alone, and if you'd actually read what the OP posted, you'd have noticed the "denied" at the end of every line from his logs that he found so disturbing.
The suggestion to use wildcards to issue bogus responses is the general suggestion to "convince" goofballs on the Internet that happen to come across your recursive-query-responding nameserver that you do not want them to use to make recursive queries, to go elsewhere.
Understood, true, but quite beside the point.
Obviously if you intentionally are listing your nameserver in a parent zone, and you employ this trick, you will need to setup a new nameserver on a different IP and change the parent zone. I figured though, that anyone who knew what they were doing would have grasped that concept, however.
You'd think, wouldn't you?
which you then use to serve crap records, strikes me as somewhat counterproductive. And I really fail to see why whomever runs the parent zone would even notice.The OP claimed that he was getting an excessive number of DNS requests, implying that his parent was redirecting a lot of queries to him that he wasn't supposed to get. If his parent is doing that because they misconfigured their own nameserver, then anyone depending on their nameserver will get crap records back, and likely complain.
He made no such claim at any time (at least in any e-mail that reached me privately or via the list). He was confused as to why random machines where hitting his closed nameserver at all.
Do you honestly think lots of people are going to gang up on whomever runs his parent zone when they stop getting mail from the OP? Those that noticed would probably sigh a little sigh of relief that they'd no longer have to see the OP and me fussing at each other.
I think the issue is that you are assuming his parent zone admins are doing the Correct Thing when they have configured their own nameservers. The OP was insistent that his parent zone admins were doing the Wrong Thing when they configured their own nameservers. Thus, my suggestion is essentially telling the OP that if he is so insistent that his parents are screwed up, then he can put his money where his mouth is and wildcard a porno site.
Wow. You really have problems with reading comprehension, don't you? You have that more or less backwards.
As we saw by his response to my suggestion, when the OP was challenged to do this, he rapidly backwatered. Since backwatering he no longer can claim (at least on this list) that his parent admins are idiots, and thus I assume is now open to examining his own config a bit more closely. (which is what you were telling him to do all along)
No, I was pointing him to the parent which was handing out the glue record with the address he kept claiming couldn't possibly be being made public by anybody. I have no reason to suspect a problem with his configs and never said or hinted at such a thing in any way.
Sometimes if you want the horse to drink, you have to let them run in the opposite direction of the pond.
Giggle.OK, folks, I promise, given that this has sunk well into chat territory, I'm done responding on the list on this topic. I was sucked in originally by the OP posting my DNS server's IP address in a query, and it appears that the OP has finally taken the time to grasp the answer I kept giving him, so I'm going to move on. Feel free to send me love notes privately.
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature