what the heck do i do now?
Jon Lewis
jlewis at lewis.org
Thu Feb 1 04:08:17 UTC 2007
On Thu, 1 Feb 2007, Paul Vixie wrote:
>> One thing you might consider is putting together a script to harvest email
>> addresses from whois records that correspond to the PTR for the querying
>> IPs. Add to that list abuse, postmaster, webmaster, hostmaster, etc @ the
>> poorly run domain. Then fire off a message explaining the situation and
>> that you'll be adding a wildcard record on such and such date (preferably
>> not 4/1). Script all of this and run it every couple of days until the
>> date you gave and then follow through with the wildcard entry. This
>> undoubtedly won't stop all of the whining but you can at least say you
>> tried.
>
> volunteers are welcome to apply for that job.
It's actually a trivial thing to do. Start with something like the
geektools whois proxy. That'll handle getting the queries to the right
RIR's whois server. Then all you need to do is parse the output for email
addresses. For extra credit, you can look for common "abuse" addresses in
the output and ignore other addresses in outputs where an "abuse" address
is found.
As for trying to "make it stop", the two methods thought to be most
successful are:
1) maps.vix.com. 604800 IN NS .
2) maps.vix.com. 604800 IN NS u1.vix.com.
maps.vix.com. 604800 IN NS u2.vix.com.
maps.vix.com. 604800 IN NS u3.vix.com.
... [as many as you like]
u1.vix.com. 604800 IN A 192.0.2.1
u2.vix.com. 604800 IN A 192.0.2.2
u3.vix.com. 604800 IN A 192.0.2.3
... [as many as you like]
1) just tells them there is no NS, go away.
2) gives them someone unreachable to try, which they'll do, and do, and
do, wasting lots of retransmitted queries and the time it takes them to
timeout. If you're lucky, the timeouts might be noticed as increased load
and mail slowdown on the servers sending these queries.
Either way, a properly functioning caching DNS should leave you alone for
a while after caching the fact that there (is no NS for maps.vix.com||the
NS's for maps.vix.com are unreachable/unresponsive). i.e. Either of these
should mitigate the traffic far better than simply returning NXDOMAIN for
every maps.vix.com dnsbl query.
Successful here doesn't necessarily mean "the traffic stopped" but rather
the traffic has been mitigated as much as is possible without actually
getting people to fix their systems and stop querying the dead zone.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list