Malicious DNS request?

• Previous message (by thread): Malicious DNS request?
• Next message (by thread): Exchange points for Southeastern Michigan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 8:45 AM +0800 2005-05-18, Joe Shen wrote:

>  I'm sorry if this is JUST to BIND or some other
>  specific software. But, IMHO this is just a sample
>  that requests which only generate NXDOMAIN responds.

	Do a DNS query for 
slartibartfastisacharacterinamoviewrittenbydouglasadamsthathasnotgottenverygoodreviewslatelyandisbasedontheoriginalBBCradioshowandtheresultingBBCtvminiseries.com, 
and you'll probably get an NXDOMAIN.  Indeed, query for any other 
non-existent domain, and you'll get an NXDOMAIN response.  That's 
what it means.

>  According to someone's presentation on NANOG ("DNS
>  anomailies and their impact on DNS Cache Server" ),
>  such record may be type of attack.

	NXDOMAIN == Attack?

	Please show me how you arrive at that logic.

>                                     If we only rely on
>  cacheing to remove paient of CPU time, cache server
>  load will be  increased. So, what I'm tryting to ask
>  is , is there some mechanism proposed to deal with
>  such problem? BIND is just a sample.

	Well, only caching servers have to worry about getting an 
NXDOMAIN response back.  Authoritative-only servers may have to worry 
about sending them out, but that's pretty cheap.  Indeed, it's pretty 
cheap for the caching servers to handle getting them.

	Yes, bad clients can abuse either caching servers or 
authoritative-only servers by doing things that result in a lot of 
NXDOMAIN responses, but that falls in the category of the programmers 
doing whatever is possible to protect themselves and their code 
against whatever kind of abuse gets hurled at them by poorly-behaved 
clients.


	As far as that goes, that's a generic problem, and in the case of 
nameservers there are appropriate places to discuss this sort of 
thing -- such as the namedroppers mailing list.

	Now, if you want to drag BIND into this picture as a specific 
example, there are appropriate places to discuss that, too -- such as 
the bind-users mailing list, or maybe one of the developer-oriented 
BIND mailing lists.

	But none of these places are NANOG, and this discussion doesn't 
belong here -- either in the general case of nameservers, or in the 
specific case of BIND.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

• Previous message (by thread): Malicious DNS request?
• Next message (by thread): Exchange points for Southeastern Michigan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]