On 11/06/2013, at 6:31 PM, Dave Mill
In the past I've split off legacy IPs on resolvers to a different server and installed a completely open Bind resolver on it. Log IPs and contact people who are under your control (on your network I guess).
Then hack bind to return one IP address as an answer to any standard query. We just did A and MX. That IP points to a server under your control. Install Apache, postfix, courier-pop3d, etc on there and serve various types of bogus data telling people what to do.
Yeah, tricks like this are fun to do, too :-) I've wondered also about only spoofing replies for say, google for a month or so, before shutting it off entirely. Also, such a thing should (I think) only return A records where a real A record already exists - maybe a patch for bind or unbound is needed to do this.. Maybe you only spoof A records, and leave CNAME etc. untouched. What do you do about DNSSEC?
It worked well for me. YMMV. I suppose in your case you might need to somehow redirect DNS requests that originate off-net to this other nameserver at your borders or configure this DNS server to handle off-net requests a bit differently. From memory bind will support that.
Did you have any customers who had multiple Internet connections that had problems? One example I thought of that might be tricky, is a friend I have that for various silly reasons has two ADSL lines, from two different providers, and has one on a wired ethernet, and one on a wireless ethernet. If you receive (via DHCP) a DNS server over the wireless network, are modern operating systems intelligent enough to only send queries to that DNS server out that interface? I've seen weird things with a particularly annoying VPN client that sometimes leaks DNS queries out a default route, instead of over the VPN.. I'm going to have to do some testing on this, but if someone has already compiled some, I'd vend beer in their direction. -- Nathan Ward