what the heck do i do now?

• Previous message (by thread): what the heck do i do now?
• Next message (by thread): what the heck do i do now?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 1 Feb 2007, Paul Vixie wrote:

>> One thing you might consider is putting together a script to harvest email
>> addresses from whois records that correspond to the PTR for the querying
>> IPs.  Add to that list abuse, postmaster, webmaster, hostmaster, etc @ the
>> poorly run domain.  Then fire off a message explaining the situation and
>> that you'll be adding a wildcard record on such and such date (preferably
>> not 4/1).  Script all of this and run it every couple of days until the
>> date you gave and then follow through with the wildcard entry.  This
>> undoubtedly won't stop all of the whining but you can at least say you
>> tried.
>
> volunteers are welcome to apply for that job.

It's actually a trivial thing to do.  Start with something like the 
geektools whois proxy.  That'll handle getting the queries to the right 
RIR's whois server.  Then all you need to do is parse the output for email 
addresses.  For extra credit, you can look for common "abuse" addresses in 
the output and ignore other addresses in outputs where an "abuse" address 
is found.

As for trying to "make it stop", the two methods thought to be most 
successful are:

1) maps.vix.com.	604800	IN	NS	.

2) maps.vix.com.	604800	IN	NS	u1.vix.com.
    maps.vix.com.	604800	IN	NS	u2.vix.com.
    maps.vix.com.	604800	IN	NS	u3.vix.com.
    ... [as many as you like]
    u1.vix.com.		604800	IN	A	192.0.2.1
    u2.vix.com.		604800	IN	A	192.0.2.2
    u3.vix.com.		604800	IN	A	192.0.2.3
    ... [as many as you like]

1) just tells them there is no NS, go away.

2) gives them someone unreachable to try, which they'll do, and do, and 
do, wasting lots of retransmitted queries and the time it takes them to 
timeout.  If you're lucky, the timeouts might be noticed as increased load 
and mail slowdown on the servers sending these queries.

Either way, a properly functioning caching DNS should leave you alone for 
a while after caching the fact that there (is no NS for maps.vix.com||the 
NS's for maps.vix.com are unreachable/unresponsive).  i.e. Either of these 
should mitigate the traffic far better than simply returning NXDOMAIN for 
every maps.vix.com dnsbl query.

Successful here doesn't necessarily mean "the traffic stopped" but rather 
the traffic has been mitigated as much as is possible without actually 
getting people to fix their systems and stop querying the dead zone.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

• Previous message (by thread): what the heck do i do now?
• Next message (by thread): what the heck do i do now?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]