Re: Excessive query by open DNS - DNS

This is a discussion on Re: Excessive query by open DNS - DNS ; I have read all your responses, and appreciate the help on this one. I have a few questions still. Is returning non publicly routable addresses such as 192. and 127. etc in the public side of DNS allowed? I read ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Excessive query by open DNS

  1. Re: Excessive query by open DNS

    I have read all your responses, and appreciate the help on this one.
    I have a few questions still.

    Is returning non publicly routable addresses such as 192. and 127. etc
    in the public side of DNS allowed? I read once it was generally
    frowned upon, but am not sure it is technically in violation of any RFC.

    I consider this issue with openDNS to be a vulnerability, and a DDoS
    vector, correct me if I am wrong. OpenDNS can generate, in my tests,
    around 70 queries per second to my NS. The qualifications are that my
    NS be the SOA, but not have any zone data loaded. Open DNS asks for
    whatever you request, and then asks again, and again, and again.

    I can run curl host.com --timeout 9999 and that will hit my NS really
    hard. OpenDNS is a large operation, handling I hear, millions of
    queries in very short time. Many people use them as well.

    A mere few hundred bots, or just a few hundred script kids, with their
    resolver pointed to open DNS, and a public NS they do not like, is all
    it would take to take that public NS down. I know my machine can not
    handle 50,000 queries per second, and I know most of the rest of the
    NS's out there can not either. Even Comcast is overloaded. How much
    would it really take to put a burden on even a large ISP like comcast.

    While I could block openDNS by their two IP's, so many people use
    them, I think this behavior would be as bad as theirs.

    I do not think I should have to add zones for domains I do not want
    to, and putting a * record in place just to patch them is nothing I
    want to do on a full time basis.

    Anyone can register a domain, anyone can put any NS into the DNS
    server field at their registrar.

    I have contacted openDNS, their first reply was to tell me the problem
    was resolved. I suspect since I mentioned a specific domain, they
    simply refreshed the zone. They did not take the time to read my
    entire report to them. I have now replied twice, asking for
    clarification, and providing another example. I have not received
    reply in 2 days. As far as I can tell, the ticket is now closed.

    Do you agree with me, this is clearly bad behavior? As long as I am
    not off my rocker in my thoughts, I will pursue this to get it fixed.
    If I am off base, let me know, and I will consider this normal
    behavior, even though I think it is strange.
    --
    Scott



  2. Re: Excessive query by open DNS

    In article ,
    Scott Haneda wrote:

    > I have read all your responses, and appreciate the help on this one.
    > I have a few questions still.
    >
    > Is returning non publicly routable addresses such as 192. and 127. etc
    > in the public side of DNS allowed? I read once it was generally
    > frowned upon, but am not sure it is technically in violation of any RFC.


    RFC 1918 says these records shouldn't be visible outside the enterprise
    because they'll be ambiguous. However, in practice it's not uncommon,
    and should rarely cause any operational problems.

    > I consider this issue with openDNS to be a vulnerability, and a DDoS
    > vector, correct me if I am wrong. OpenDNS can generate, in my tests,
    > around 70 queries per second to my NS. The qualifications are that my
    > NS be the SOA, but not have any zone data loaded. Open DNS asks for
    > whatever you request, and then asks again, and again, and again.


    Is this behavior specific to OpenDNS? When I've looked at our
    nameserver logs, I see lots of repeated queries from many different
    sources.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***


+ Reply to Thread