Spammers abusing recursive cacheing name servers

Paul Vixie vixie at sa.vix.com
Tue Dec 16 07:04:36 UTC 2003


Scott Lambert <lambert at lambertfam.org> writes:

> ... "You were stupid enough to click a link in a spam message."
> 
> However, that appears to be a labor intensive method of dealing with
> the problem and won't help anyone else whose servers these jerks try to
> abuse.  

that can be done, if you tone down your error message text so that
false matches (due, for example, to honest configuration errors) will
not result in insults being thrown.

> My thought is to do something in the name server like the Verisign      
> workaround. 
> 
> Query comes in from outside mycidr/mask;
>   Am I configured to be authoritative for this request?
>     Yes: answer the query

so far so good.

>     No: 
>       Do the roots say I am authorative for this request?

this part is very difficult, due to necessary caching.

>       	Yes:
>           Case request type in:
>             A or AAAA) return the Silly Spammers IP.
> 	    *)         return NXDOMAIN
> 	  esac;
>         No: 
> 	  Is requester in abusive ACL?
>           Yes: drop the query or return NXDOMAIN
>           No: go ahead and do the recursive query.
> 		# so that the spammers are encouraged to try these tricks
> 		# and we get more chances to call users "stupid" or otherwise
> 		# provide education, depending on the BOFHness of the admin :-)
> 
> Is this possible currently?

something like it is.  first, separate out your caching recursive service
from your authority zones.  don't try to do both from one server address.
this can sometimes mean running more than one "named" process per host,
with each one "listen-on"'ing a different address.  this in turn means
your host has to be able to have more than one address, which you're already
doing for apache https virtuals.

> We are still running Bind 8 from the FreeBSD base install, and keep it
> patched.  The above abilities would be worth enough for me do whatever is
> necessary to my zone files to switch to some other version/software.

on your authority server, add a root zone containing a wildcard A RR.  that
will match anything sent to you that you aren't authoritative for.

on your recursive server, disallow queries from untrusted sources.

no spammer will find you useful in that configuration.

> If we get an installed base of servers that do this, we may make it not
> worth doing for the spammers.

alas, spammers are useless sub-morons, and they will not notice.  but at
least you won't be helping them any more.
-- 
Paul Vixie


More information about the bind-users mailing list