[87995] in North American Network Operators' Group
Re: DOS attack against DNS?
daemon@ATHENA.MIT.EDU (Alon Tirosh)
Tue Jan 17 01:21:05 2006
Date: Tue, 17 Jan 2006 01:19:21 -0500
From: Alon Tirosh <j0keralpha@gmail.com>
To: "william(at)elan.net" <william@elan.net>
Cc: Paul Vixie <vixie@vix.com>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.62.0601162114520.21939@sokol.elan.net>
Errors-To: owner-nanog@merit.edu
------=_Part_9_8534808.1137478761790
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Admitted, i did not notice the type/class difference. I responded as a knee
jerk reaction, and that is my mistake.
For the second part, the any query type is useful (when targeted at either
your NS and/or public NS servers) to quickly alert to issues such as the on=
e
being discussed with GoDaddy and Nectartech right now on this list.
Pick and/or set up an NS server that is TTL agnostic (flameArmor: this
system is to be used for disparate up-to-date checks only, and I know by
spec this is far from foolproof but its saved my ass a couple times in the
past) and checks disparate roots and its useful for finding or alerting to
major name system, registrar ,and provider issues quickly.
Im diverging off-topic, im sure. gnight.
On 1/17/06, william(at)elan.net <william@elan.net> wrote:
>
>
> Did you notice that it was class "ANY" and not type "ANY" that Paul noted=
?
> I've never ever heard of it being used anywhere....
>
> As for ANY query type, what do you think will happen when you query with
> "ANY" to a host in a domain that is not in your local dns server cache?
> And btw if it is in your dns cache, how predictable do you think such
> results are going to be???
>
> On Tue, 17 Jan 2006, Alon Tirosh wrote:
>
> > Not true,. the ANY query has mutliple uses for consolidating multiple
> > diagnostic queries into a single display, and also for diversion
> monitoring
> > systems on small domains or groups of same. Not all of us have the
> resources
> > (or time) of large ISPs behind us.
> >
> > On 15 Jan 2006 17:27:40 +0000, Paul Vixie <vixie@vix.com> wrote:
> >>
> >>> client xx.xx.xx.xx#6704: query: z.tn.co.za ANY ANY +E
> >>
> >> class "ANY" has no purpose in the real world, not even for
> debugging. if
> >> you see it in a query, you can assume malicious intent. if you hear i=
t
> in
> >> a query, you can safely ignore that query, or at best, map it to class
> >> "IN".
> >> --
> >> Paul Vixie
>
------=_Part_9_8534808.1137478761790
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Admitted, i did not notice the type/class difference. I responded as a knee=
jerk reaction, and that is my mistake.<br><br>For the second part, the any=
query type is useful (when targeted at either your NS and/or public NS ser=
vers) to quickly alert to issues such as the one being discussed with GoDad=
dy and Nectartech right now on this list.=20
<br><br>Pick and/or set up an NS server that is TTL agnostic (flameArmor: t=
his system is to be used for disparate up-to-date checks only, and I know b=
y spec this is far from foolproof but its saved my ass a couple times in th=
e past) and checks disparate roots and its useful for finding or alerting t=
o major name system, registrar ,and provider issues quickly.
<br><br>Im diverging off-topic, im sure. gnight.<br><br><div><span class=3D=
"gmail_quote">On 1/17/06, <b class=3D"gmail_sendername">william(at)elan.net=
</b> <<a href=3D"mailto:william@elan.net">william@elan.net</a>> wrote=
:</span>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>Did you notic=
e that it was class "ANY" and not type "ANY" that Paul =
noted?
<br>I've never ever heard of it being used anywhere....<br><br>As for ANY q=
uery type, what do you think will happen when you query with<br>"ANY&q=
uot; to a host in a domain that is not in your local dns server cache?<br>
And btw if it is in your dns cache, how predictable do you think such<br>re=
sults are going to be???<br><br>On Tue, 17 Jan 2006, Alon Tirosh wrote:<br>=
<br>> Not true,. the ANY query has mutliple uses for consolidating multi=
ple
<br>> diagnostic queries into a single display, and also for diversion m=
onitoring<br>> systems on small domains or groups of same. Not all of us=
have the resources<br>> (or time) of large ISPs behind us.<br>><br>
> On 15 Jan 2006 17:27:40 +0000, Paul Vixie <<a href=3D"mailto:vixie@=
vix.com">vixie@vix.com</a>> wrote:<br>>><br>>>> client xx=
.xx.xx.xx#6704: query: <a href=3D"http://z.tn.co.za">z.tn.co.za</a> ANY ANY=
+E
<br>>><br>>> class "ANY" has no purpose in the real w=
orld, not even for debugging. if<br>>> you see it in a que=
ry, you can assume malicious intent. if you hear it in<br>>&g=
t; a query, you can safely ignore that query, or at best, map it to class
<br>>> "IN".<br>>> --<br>>> Paul Vixie<br></blo=
ckquote></div><br>
------=_Part_9_8534808.1137478761790--
