Re: Query NS Root
Hans Spaans wrote: 'dig . ns @nameserver /etc/bind/db.root' can give you a new db.root file for your nameserver. If its wise? Yes and no, your db.root must contain valid data, but to take a random nameserver, that is not wise. Most resolvers return an empty additional section anyway, which limits the usefulness of the response. 8-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Query NS Root
Hans Spaans wrote: 'dig . ns @nameserver /etc/bind/db.root' can give you a new db.root file for your nameserver. If its wise? Yes and no, your db.root must contain valid data, but to take a random nameserver, that is not wise. Most resolvers return an empty additional section anyway, which limits the usefulness of the response. 8-)
Re: Query NS Root
On Sun, Feb 01, 2004 at 02:29:53PM +0100, Hans Spaans wrote: But than a gain, you can do a joke next month so people have a problem or you can fix this problem by adding allow-query statements to your named.conf and forcing people to abuse someone else. Actually that's precisely how I discovered it. I added allow queries and was trying to figure out why I was denying so many queries per second. Others should take a look and see if this is really widespread. I'm getting it from a whole *bunch* of different ip's. I wish I could do the joke, but I have too many real zones that I primary and secondary so I can't really load a phony root.db. I agree with your analysis. It seems like a really stupid thing to do, which is why I am having trouble understanding why so many people are querying me like that. It just doesn't make sense. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Query NS Root
On Sunday 01 February 2004 14:50, Dale Amon wrote: Actually that's precisely how I discovered it. I added allow queries and was trying to figure out why I was denying so many queries per second. You added it globally and to every zone? Also allow-transfer is a nice own to get into place. But you will see queries being denied and if you check those IP's you'll see that they don't run any nameserver. So don't worry to much. Others should take a look and see if this is really widespread. I'm getting it from a whole *bunch* of different ip's. I did but wasn't impressed, only when the new cyberangels was making sure we needed to handle an extra 6 a 700 q/s ;-) I wish I could do the joke, but I have too many real zones that I primary and secondary so I can't really load a phony root.db. It wasn't meant to be a serieus option, but then again people form newroot think it can be a serieus option. I agree with your analysis. It seems like a really stupid thing to do, which is why I am having trouble understanding why so many people are querying me like that. It just doesn't make sense. I did what you have done a time ago and I just made sure everything was working well and the configuration was correct. After a week or two I didn't care anymore and nothing was broken in those two weeks what resulted in turning of some logging. And just like I said before, the IP's I have checked didn't run any public nameserver as far I could check. Hans -- How should I know if it works? That's what beta testers are for. I only coded it. -- Linus Torvalds -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Query NS Root
On Sunday 01 February 2004 14:02, Dale Amon wrote: What is the purpose of a DNS query NS Root? It returns to the requester my list of root servers, which seems pointless... and I am getting hit by them at the rate of several a second from various nameservers. 'dig . ns @nameserver /etc/bind/db.root' can give you a new db.root file for your nameserver. If its wise? Yes and no, your db.root must contain valid data, but to take a random nameserver, that is not wise. But than a gain, you can do a joke next month so people have a problem or you can fix this problem by adding allow-query statements to your named.conf and forcing people to abuse someone else. Hans -- How should I know if it works? That's what beta testers are for. I only coded it. -- Linus Torvalds
Re: Query NS Root
On Sun, Feb 01, 2004 at 02:29:53PM +0100, Hans Spaans wrote: But than a gain, you can do a joke next month so people have a problem or you can fix this problem by adding allow-query statements to your named.conf and forcing people to abuse someone else. Actually that's precisely how I discovered it. I added allow queries and was trying to figure out why I was denying so many queries per second. Others should take a look and see if this is really widespread. I'm getting it from a whole *bunch* of different ip's. I wish I could do the joke, but I have too many real zones that I primary and secondary so I can't really load a phony root.db. I agree with your analysis. It seems like a really stupid thing to do, which is why I am having trouble understanding why so many people are querying me like that. It just doesn't make sense. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: Query NS Root
On Sunday 01 February 2004 14:50, Dale Amon wrote: Actually that's precisely how I discovered it. I added allow queries and was trying to figure out why I was denying so many queries per second. You added it globally and to every zone? Also allow-transfer is a nice own to get into place. But you will see queries being denied and if you check those IP's you'll see that they don't run any nameserver. So don't worry to much. Others should take a look and see if this is really widespread. I'm getting it from a whole *bunch* of different ip's. I did but wasn't impressed, only when the new cyberangels was making sure we needed to handle an extra 6 a 700 q/s ;-) I wish I could do the joke, but I have too many real zones that I primary and secondary so I can't really load a phony root.db. It wasn't meant to be a serieus option, but then again people form newroot think it can be a serieus option. I agree with your analysis. It seems like a really stupid thing to do, which is why I am having trouble understanding why so many people are querying me like that. It just doesn't make sense. I did what you have done a time ago and I just made sure everything was working well and the configuration was correct. After a week or two I didn't care anymore and nothing was broken in those two weeks what resulted in turning of some logging. And just like I said before, the IP's I have checked didn't run any public nameserver as far I could check. Hans -- How should I know if it works? That's what beta testers are for. I only coded it. -- Linus Torvalds
Re: Query NS Root
On Sun, Feb 01, 2004 at 03:46:07PM +0100, Hans Spaans wrote:
You added it globally and to every zone? Also allow-transfer is a nice
own to get into place. But you will see queries being denied and if you
Yes, I've got allow-transfer groups on all domains; allow-query { any; }
on all domains I server, and an options allow-query group and allow-recursion
group in options so that only authorized sites can use the cache.
check those IP's you'll see that they don't run any nameserver. So
don't worry to much.
I'd originally thought otherwise, but as I went through
the trace I found the real name servers were trying to
do a lookup for a dead zone, one I used to host but which
the owner has taken off line. Some fairly big ISP's are
using annoying short Retry times...
I did but wasn't impressed, only when the new cyberangels was making
sure we needed to handle an extra 6 a 700 q/s ;-)
I have to be careful though as I get phone calls if
my bandwidth usage goes too high. It got so bad a week
ago (before I put in the blocking) that processes
were dying on my server due to memory starvation (the kernel
was killing processes as resources were being overused),
that I had to risk down time to do something about it.
I'd still be interested to know if anyone knows *why*
so many people are doing this. I know what they are doing;
I can block it; but I'm curious. I've got a gut feeling
it has something to do with spammers hiding their tracks,
but I'm not sure how it would or why it would be useful
to them.
I just can't come up with anything else.
--
--
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware software system design, security
and networking, systems programming and Admin
Have Laptop, Will Travel
--
