Re: [nznog] Fwd: [outages] Open Resolver Project

10 Jun 2013


      On 11/06/13 20:41, Nathan Ward wrote:
...
On 11/06/2013, at 6:31 PM, Dave Mill  wrote:
...
In the past I've split off legacy IPs on resolvers to a different
server and installed a completely open Bind resolver on it. Log IPs
and contact people who are under your control (on your network I
guess).
Then hack bind to return one IP address as an answer to any
standard query. We just did A and MX. That IP points to a server
under your control. Install Apache, postfix, courier-pop3d, etc on
there and serve various types of bogus data telling people what to
do.
Yeah, tricks like this are fun to do, too :-)
I've wondered also about only spoofing replies for say, google for a
month or so, before shutting it off entirely.
Also, such a thing should (I think) only return A records where a
real A record already exists - maybe a patch for bind or unbound is
needed to do this..
Please please avoid to do this at all costs... I've seen those "clever
tricks" before and they cause more breakage than desired. Specially
those deploying v6 networks see those tricks as a pain, because A
records are rewritten but not AAAA records
...
Maybe you only spoof A records, and leave CNAME etc. untouched.
What do you do about DNSSEC?
Break it?
...
...
It worked well for me. YMMV. I suppose in your case you might need
to somehow redirect DNS requests that originate off-net to this
other nameserver at your borders or configure this DNS server to
handle off-net requests a bit differently. From memory bind will
support that.
Did you have any customers who had multiple Internet connections that
had problems? One example I thought of that might be tricky, is a
friend I have that for various silly reasons has two ADSL lines, from
two different providers, and has one on a wired ethernet, and one on
a wireless ethernet. If you receive (via DHCP) a DNS server over the
wireless network, are modern operating systems intelligent enough to
only send queries to that DNS server out that interface?
I've seen weird things with a particularly annoying VPN client that
sometimes leaks DNS queries out a default route, instead of over the
VPN..
I'm going to have to do some testing on this, but if someone has
already compiled some, I'd vend beer in their direction.
-- Nathan Ward _______________________________________________ NZNOG
mailing list NZNOG(a)list.waikato.ac.nz 
http://list.waikato.ac.nz/mailman/listinfo/nznog
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535