Re: [nznog] [outages] Open Resolver Project

10 Jun 2013

      On 11/06/2013, at 9:13 PM, Sebastian Castro  wrote:
...
On 11/06/13 20:41, Nathan Ward wrote:
...
On 11/06/2013, at 6:31 PM, Dave Mill  wrote:
...
Then hack bind to return one IP address as an answer to any
standard query. We just did A and MX. That IP points to a server
under your control. Install Apache, postfix, courier-pop3d, etc on
there and serve various types of bogus data telling people what to
do.
Yeah, tricks like this are fun to do, too :-)
I've wondered also about only spoofing replies for say, google for a
month or so, before shutting it off entirely.
Also, such a thing should (I think) only return A records where a
real A record already exists - maybe a patch for bind or unbound is
needed to do this..
Please please avoid to do this at all costs... I've seen those "clever
tricks" before and they cause more breakage than desired. Specially
those deploying v6 networks see those tricks as a pain, because A
records are rewritten but not AAAA records
Do you mean the bit I suggested re. serving only if a record of that type exists, or do you mean spoofing stuff entirely?

If you mean the latter, and the choice is cut the user off entirely, or server them a bunch of banners saying "don't do that, we already told you", I think I'd prefer the latter. Open to opposing views and alternative friendly ways to manage it, other than simple cut off.
...
...
Maybe you only spoof A records, and leave CNAME etc. untouched.
What do you do about DNSSEC?
Break it?
How many end hosts does that likely impact, in todays world? Do many end hosts care about DNSSEC, or is it just nameservers at ISPs, some businesses, and nerdy households so far?
Is there a way to test, if you're a service provider?
I'm not sure the usual javascript checks would work well, unless you also provide a large amount of the end users' content.

I wonder if the numbers are much different if you're talking about hosts configured with recursive name servers on a different network.

--
Nathan Ward