Hijacking third party DNS servers?

Kevin Darcy kcd at daimlerchrysler.com
Sat Feb 24 01:55:36 UTC 2001


scheidell at caerulus.cerintha.com wrote:

> On 23 Feb 2001 16:28:17 -0800, Tim Maestas <tmaestas at dnsconsultants.com> wrote:
> >
> >
> >       It is true to say that any publicly addressed server
> >       on the internet is free to be queried for a given
> >       domain if it is advertsied as authoritative for that
> >       domain.  If you don't like people querying for hosts
> >       in zones you do not host, do as the quoted excerpt
> >       sugggests and restrict recursion.  If you are a caching
> >       only nameserver, and only want your known clients to
> >       be able to query it, then restrict queries.
>
> I do restrict them, that is how I found the entries
> Of great concern to me is any program that depends on 'misconfigured'
> servers
>
> Remember the microsoft debacle? wasn't one of those problems a problem
> with some third party (non-authoritative) who released a 'poison' zone?
>
> This program (and I have already talked to three poeple doing the same
> thing) HOPES that thye ifnd open servers who have correct info.

But your server isn't "open"; it's recursion-restricted. Which means it'll be a
hit-or-miss affair whether they're able to resolve anything from your server that
isn't in your authoritative domains. At a certain point, this program will
actually spend *more* resources and time "crawling" through nameservers trying to
find one that will answer its recursive query, than it would just by following the
normal delegations and referrals like a regular nameserver. So this problem is,
I think, in the long-term self-correcting.

If you want to speed up this "correction", just blackhole the bastards. That'll
cut your traffic down at least in half, and increase their query latency.

> Do I get a cut of the $$ this person is getting for proviging this
> service? Do I get some of the NSI money for running root servers? or will
> I just have to 'buck up and swallow'?

If you can prove that NSI is somehow responsible for this program or service, you
could perhaps (IANAL) sue them for "unjust enrichment" or "conversion". Of course,
that would require evidence...


- Kevin




More information about the bind-users mailing list