[80802] in North American Network Operators' Group
Re: Malicious DNS request?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu May 12 11:27:37 2005
To: Brad Knowles <brad@stop.mail-abuse.org>
Cc: Gadi Evron <ge@linuxbox.org>, Joe Shen <joe_hznm@yahoo.com.sg>,
NANGO <nanog@merit.edu>
In-Reply-To: Your message of "Thu, 12 May 2005 16:43:07 +0200."
<p06200738bea91bcee3e9@[10.0.1.2]>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 12 May 2005 11:26:48 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1115911607_7142P
Content-Type: text/plain; charset=us-ascii
On Thu, 12 May 2005 16:43:07 +0200, Brad Knowles said:
> At 12:41 PM +0400 2005-05-12, Gadi Evron quoted Joe Shen:
> > I'd suggest dropping requests for domains you don't hold.
> That's kind of hard to do if you're running a recursive/caching nameserver.
Well.. are you running a recursive/caching nameserver for everybody on the
internet to use, or only for your customers? If the request isn't from
inside your address space, and it's a "recursion requested" for a zone you
don't hold, maybe they're asking the wrong DNS server.
(And yes, I know that if you have a roaming user who's outside your address
space but has hard-coded your DNS IP's in their resolv.conf, it gets trickier.
The right answer here depends on your customer base.)
It's often suggested that you have *two* DNS setups - one that only answers
requests from inside for recursion and caching, and an authoritative one that
faces out and refuses to recurse. The inside one will cache the outside one
fast enough in most environments. (No, this doesn't stop all the possible DNS
malfeasance, but it certainly raises the bar a good chunk...)
--==_Exmh_1115911607_7142P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCg3W3cC3lWbTT17ARAnfEAKCXV6zaFYXfHD98wJ3uVhd+vb7powCfb1WH
PNUpCKxmiiq1dYG71LaSCps=
=RYVG
-----END PGP SIGNATURE-----
--==_Exmh_1115911607_7142P--
