Excessive query by open DNS

Scott Haneda talklists at newgeo.com
Fri Oct 10 22:41:51 UTC 2008 

I have read all your responses, and appreciate the help on this one.   
I have a few questions still.

Is returning non publicly routable addresses such as 192. and 127. etc  
in the public side of DNS allowed?  I read once it was generally  
frowned upon, but am not sure it is technically in violation of any RFC.

I consider this issue with openDNS to be a vulnerability, and a DDoS  
vector, correct me if I am wrong.  OpenDNS can generate, in my tests,  
around 70 queries per second to my NS.  The qualifications are that my  
NS be the SOA, but not have any zone data loaded.  Open DNS asks for  
whatever you request, and then asks again, and again, and again.

I can run curl host.com --timeout 9999 and that will hit my NS really  
hard.  OpenDNS is a large operation, handling I hear, millions of  
queries in very short time.  Many people use them as well.

A mere few hundred bots, or just a few hundred script kids, with their  
resolver pointed to open DNS, and a public NS they do not like, is all  
it would take to take that public NS down.  I know my machine can not  
handle 50,000 queries per second, and I know most of the rest of the  
NS's out there can not either.  Even Comcast is overloaded.  How much  
would it really take to put a burden on even a large ISP like comcast.

While I could block openDNS by their two IP's, so many people use  
them, I think this behavior would be as bad as theirs.

I do not think I should have to add zones for domains I do not want  
to, and putting a * record in place just to patch them is nothing I  
want to do on a full time basis.

Anyone can register a domain, anyone can put any NS into the DNS  
server field at their registrar.

I have contacted openDNS, their first reply was to tell me the problem  
was resolved.  I suspect since I mentioned a specific domain, they  
simply refreshed the zone.  They did not take the time to read my  
entire report to them.  I have now replied twice, asking for  
clarification, and providing another example.  I have not received  
reply in 2 days.  As far as I can tell, the ticket is now closed.

Do you agree with me, this is clearly bad behavior?  As long as I am  
not off my rocker in my thoughts, I will pursue this to get it fixed.   
If I am off base, let me know, and I will consider this normal  
behavior, even though I think it is strange.
--
Scott

More information about the bind-users mailing list