SPAMMER/SECURITY: Can we block unconfigured zones in bind 8?

Brad Knowles brad.knowles at skynet.be
Fri May 18 15:21:55 UTC 2001


At 10:29 AM -0400 5/18/01, A. M. Salim wrote:

>  We are running bind 8.2.3-REL and have in interesting situation.  Not a
>  break-in or anything like that (so upgrading to 8.2.4 for example is not
>  an answer).  A spammer has decided to register our DNS along with half a
>  dozen others for his spamming domains.  Of course, we do not have any zone
>  files or A records for his domains, and nor do any of the other
>  nameservers - all except one that is.  He has a few DSL lines and is
>  running a nameserver on that DSL line, which he switches on only
>  momentarily (say once every few hours), long enough to "prime" the other
>  "hijacked" nameservers by running a query against them.  Then he
>  disconnects his true DNS and the other "zombies" now happily respond to
>  queries against his domains via their cache.

	You can fix his little red wagon in one of two ways:

		1.  List yourself as authoritative for the zones that he
			has registered, and then point them at your own servers,
			or make them totally empty.

			He'll either notice that all his traffic is being diverted
			somewhere else, or that it's not going anyway, and he'll
			remove you from his list.

		2.  You can fix this and all future problems like this by
			turning off recursion in your authoritative nameserver(s),
			so that when queries get pointed at your machines, they
			will essentially answer "Sorry, never heard of them".

>  Also note that we could set up dummy or false "A" records and install
>  these zones, thereby canceling out the spammer's cache-fooling exercise.

	Right, this is my suggestion #1.

>  The problem is that (a) we would only be able to do this when we learn we
>  have been used in this manner through complaints i.e. "after the fact",
>  (b) we would now be agreeing to be authorative nemservers for this spammer
>  albeit with bad info but from a legal/moral standpoint that is splitting
>  hairs, and (c) the spammer would quickly find out we did this and probably
>  want to wreak vengeance on us which we do not wish to invite.

	Not necessarily.  If you direct his web traffic for his various 
domains to an IP-based virtual domain you host on one of your 
servers, you can explain on that page what he is doing, what 
information you have on him, and that you do not support his 
activities.

>  Ideally we want our nameservers to reject any domains that are not
>  configured in our zone files.

	Best way to do that is to turn off recursion on your 
authoritative nameservers, which is something I would *HIGHLY* 
recommend that you do, regardless.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


More information about the bind-users mailing list