making the queries go away, was Re: Anyone else blacklisted this morning
John Levine
johnl at iecc.com
Fri Jan 5 00:41:26 UTC 2018
In article <20180102170409.GA5619 at gsp.org> you write:
>On Tue, Jan 02, 2018 at 04:46:02PM +0000, Mel Beckman quoted:
>> "rbl.iprange.net will mark every ip address as listed to force removal of this server."
>
>Apparently they didn't read section 3.4 of RFC 6471:
I agree that listing the world is a bad idea but I feel their pain,
having a few DNSBL-like things here that are hammered on at great
length by broken clients. If you want the traffic to go away, what do
you do?
I run a little DNS server at contacts.abuse.net that provides abuse
contact information in TXT records. For reasons I can only imagine, a
few hosts hammer on them like crazy (one seems to have the goal of
looking up every 2ld in the .at domain) which is a pain. So I've
started doing nameserver poisoining. If one of those annoying hosts
asks for, say, foo.bar.contacts.abuse.net which is how you ask for the
contacts for domain foo.bar, it returns
bar.contacts.abuse.net. NS 604800 abcde.n.contacts.abuse.net.
...
bar.contacts.abuse.net. NS 604800 qwert.n.contacts.abuse.net.
with 12 fake NS records with randomish hostnames. Then when they do A
or AAAA lookups for those host names, I send back a couple of dozen fake
A or AAAA records. In my experience that makes them go away pretty
fast, with only the occasional revisit when they want something in an
obscure TLD that I haven't poisoned yet.
This is all written in perl, which turned out to be pretty easy, and
not using Net::DNS or anything like that, either. I suppose if I
wanted to do this on behalf of a normal nameserver I could use some
packet filters to divert traffic from annoying hosts to the poison
server.
R's,
John
More information about the NANOG
mailing list