injecting a temp entry into dns cache
There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call them and all I got was that they know they have some kind of problem, but they ask users to type www. in their browser until it's resolved. In situations like this I would like to be able to inject an entry into the cache on our recursive resolvers and point it to the correct IP until the domain owner fixes the problem (poison my own cache so to speak). Is this something that can be done with bind without having to create a zone for the broken domain and make our servers act as authoritative for it? Thank you, Slava ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: high volume from outside our networks question
Rich, I suggest the following minimal-responses yes; - set this global blackhole { address_match_list }; - use the address_match_list file on your pf.conf (freebsd) with this combo, your bind should refuse queries when it's out-of-zone. additional-from-auth yes; additional-from-cache no; goodluck, -Beavis On Wed, Jan 30, 2013 at 3:02 PM, rich carroll richcarr...@gmail.com wrote: Currently our ISP's bind9 server is experiencing a lot of traffic. It looks like we are being used to attack ip addresses. We do have our own domains that host as well as resolving for our customers. I have an acl for our subnets and we allow-recursion and allow-query-cache for those subnets. The IP's of the abusing servers are outside of our networks. My assumption was that if the query came from outside our networks and it wasn't for one of our domains then there wouldn't be a response, but this isn't the case. If I go outside our network and do a dig google.com @ourDNSserver I get: ; DiG 9.6.-ESV-R3 google.com @ns1. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 23403 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;google.com.IN A ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 ;; Query time: 2 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Wed Jan 30 14:50:32 2013 ;; MSG SIZE rcvd: 500 Is it supposed to work like this? We are getting 100-600 of these a second. Most are looking up isc.org. They are more then likely spoofed IP's and someone is using our servers to attack people. I spent some time doing google searches and mostly found that you need to make sure you are only doing recursive lookups for your network, but that hasn't solved our issue if we are still sending out responses. -- Richard Carroll richcarr...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: injecting a temp entry into dns cache
Interesting. Intentionally poison your own cache so your users aren't inconvenienced by anothers misconfiguration. Not sure how you go about doing that on box. Perhaps bigger brains on this list can say. I have had occasion to forge answers locally as an immediate fix for name resolution issues which caused significant operational problems. I elected to add the zone in named.conf and answer the query correctly (and authoritatively) until I could get the owner to correct things. You will probably need to add other zone records too - MX and any other A records you can think to search for. Personally, I wouldn't consider doing something like that in this situation as you've described. However, mere inconvenience as I perceive it may be significant your view. On Sat, 2013-02-02 at 16:41 -0500, Veaceslav Revutchi wrote: There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call them and all I got was that they know they have some kind of problem, but they ask users to type www. in their browser until it's resolved. In situations like this I would like to be able to inject an entry into the cache on our recursive resolvers and point it to the correct IP until the domain owner fixes the problem (poison my own cache so to speak). Is this something that can be done with bind without having to create a zone for the broken domain and make our servers act as authoritative for it? Thank you, Slava ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: injecting a temp entry into dns cache
There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version From: Jeff Reasoner jeff.reaso...@mail.hccanet.org I elected to add the zone in named.conf and answer the query correctly (and authoritatively) until I could get the owner to correct things. You will probably need to add other zone records too - MX and any other A records you can think to search for. Personally, I wouldn't consider doing something like that in this situation as you've described. ... On my own computers and for my own busines, I add temporary lines to /etc/hosts every few months to deal with such problems. However, hacking a financial institution by publishing false DNS data to third parties (including employees) would promise too much excitement and too little profit for my tastes, especially after talking about the crime in public. I doubt that I could convince a court of technical facts or that I was doing the credit union a favor. The credit union would probably convince the authorities (including the newly sprouting bureaucracy run by the same people who are in charge of the TSA) that I was responsible for the whole mess from the beginning. Besides, do you really want to help drive business to that kind of financial institution? If its trivial records like DNS are a persistent mess, what about the complicated banking records required by law? If it were competent, the credit union would be using DNSSEC, which make a local DNS zone useless. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: injecting a temp entry into dns cache
Hey Slava, You can use a small DNS proxy that will forge only this specific record while for others it will just pass it. By adding a forward DNS zone and add the proxy as the forward DNS server. This is *not* recommended but these are the tools you have. If the DNS proxy is not the well written your users will have troubles. On 2/2/2013 11:41 PM, Veaceslav Revutchi wrote: There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call them and all I got was that they know they have some kind of problem, but they ask users to type www. in their browser until it's resolved. In situations like this I would like to be able to inject an entry into the cache on our recursive resolvers and point it to the correct IP until the domain owner fixes the problem (poison my own cache so to speak). Is this something that can be done with bind without having to create a zone for the broken domain and make our servers act as authoritative for it? Thank you, Slava -- Eliezer Croitoru http://www1.ngtech.co.il ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users