Spammers abusing recursive cacheing name servers

Simon Waters Simon at wretched.demon.co.uk
Mon Dec 15 23:35:52 UTC 2003


Scott Lambert wrote:
> 
> Query comes in from outside mycidr/mask;
>   Am I configured to be authoritative for this request?
>     Yes: answer the query
>     No: 
>       Do the roots say I am authorative for this request?
>       	Yes:
>           Case request type in:
>             A or AAAA) return the Silly Spammers IP.
> 	    *)         return NXDOMAIN
> 	  esac;
>         No: 
> 	  Is requester in abusive ACL?
>           Yes: drop the query or return NXDOMAIN
>           No: go ahead and do the recursive query.
> 		# so that the spammers are encouraged to try these tricks
> 		# and we get more chances to call users "stupid" or otherwise
> 		# provide education, depending on the BOFHness of the admin. :-)
> 
> Is this possible currently?
The problem is you don't want to abuse such clients too roundly, as some
may be confused paying clients.

If you discover domains spuriously delegated to your DNS servers, well I
think they are fair game, at least as far as reducing load on your own
name servers goes. Just load up a generic "duff" zone file for each such
zone with a few hours cache time.

Punishing people for stupidity may seem superficially attractive, until
you are having an off day, and find your own stupidity punished.

More generally split authoritative and recursive servers and the problem
should go away.


-- Attached file included as plaintext by Ecartis --

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/3kVZGFXfHI9FVgYRAgQWAKCbq8WjdlCs0cyjqBiYev53QYxkjwCfbIGV
w+TjgP2RYjZT8q96Dv23wKg=
=v4X7
-----END PGP SIGNATURE-----




More information about the bind-users mailing list