DNS help.

Post #330,190 by static 7/24/10 9:16:40 AM Reply	DNS help. Some knob has decided my public DNS server, which is, you know, like, for my domain name, is good enough to use for any DNS lookup. (I use it for this when I'm at home.) I firewalled his access away a few hours ago, but just in case it takes a few days for him to notice, I'm curious as to what else can I do so he gets the "get off my lawn" message? Resolve *. to 127.0.0.1? Is that even possible? I'm running Bind 9. My server rebuild will, of course, not have this feature in the publically accessible DNS server. Wade. Q:Is it proper to eat cheeseburgers with your fingers? A:No, the fingers should be eaten separately.
Post #330,198 by folkert 7/24/10 9:44:42 AM Reply	There is a good reference... You have to basically instantiate ACLs and only allow certain IP addresses. Effectively you have to make it so the you set it up to be used locally as a caching DNS server that goes out and looks up things for you... and then return authoritative stuff for nothing for any other IP addresses. Lookup "DNS for Rocket Scientists". Excellent book if you choose to buy it.
Post #330,226 by boxley 7/24/10 7:22:34 PM Reply	resolve all the knob asks for to a porn site
Post #330,240 by drook 7/25/10 8:26:47 AM Reply	A few more ideas (if you've got bandwidth to spare) http://www.ex-parrot...-down-ternet.html -- Drew
Post #330,241 by Another Scott 7/25/10 8:44:41 AM Reply	:-D
Post #330,242 by static 7/25/10 9:17:56 AM Reply	Great idea... ... but no, I don't have the bandwidth to spare. I think I'll look at the ACLs in Bind. With a bit of luck, I can disrupt all his lookups and make him realize I'm not a public resolver. Wade. Q:Is it proper to eat cheeseburgers with your fingers? A:No, the fingers should be eaten separately.
Post #330,244 by drook 7/25/10 9:39:55 AM Reply	* -> goatse.cx -- Drew
Post #330,245 by static 7/25/10 10:01:15 AM Reply	Ow. Idiot changed his source address, maybe because he saw his traffic getting ignored. I think it's a small business or something. But I figured out how to setup the ACLs. Now a tcpdump shows a steady stream of "DNS Refused" packets. :-) If I want to do dastardly resolutions, I need to brush up on my zone file syntax. Wade. Q:Is it proper to eat cheeseburgers with your fingers? A:No, the fingers should be eaten separately.
Post #330,246 by drook 7/25/10 10:11:18 AM Reply	Great name for a college band: Dastardly Resolutions Works as a book title, too. -- Drew
Post #330,428 by static 7/28/10 7:26:45 AM Reply	Update. I had a closer look at my iptables options and found TARPIT. Oooo... Unfortunately, I don't have the right kernel option installed. Drat. So I picked REJECT --reject-with icmp-host-unreachable. he he he he... So they keep changing their source address. It's coming from somewhere in Russia. So now I'm filtering 91/8 and 89/8. I wonder how long this will last... Wade. Q:Is it proper to eat cheeseburgers with your fingers? A:No, the fingers should be eaten separately.
Post #330,468 by static 7/29/10 5:46:06 AM Reply	Grr. It's spreading. :-( Well, moving. The two Russian hosts aren't trying anymore, instead I've got a third in Turky, a fourth in Montreal and a fifth somewhere in the US Midwest. They've been blocked similarly. My guess is someone has assembled a list of open resolvers and mine got on there. Now it's being distributed and people are using it. I might have to those dastardely resolutions, after all. That would still let anyone resolve my domain name but give them hell if they try to treat it as a open resolver... Wade. Q:Is it proper to eat cheeseburgers with your fingers? A:No, the fingers should be eaten separately.
Post #330,552 by scoenye 7/30/10 10:19:01 PM Reply	Disable recursion? If the only use is to resolve your domain, then disable recursive lookups for the internet at large. You can always make an exception for local hosts (assuming the addresses can be distinguished.) Exact details depend on OS and DNS server version of course.
Post #330,559 by static 7/31/10 8:22:02 AM Reply	I did that. Or at least I think I did. I could see in tcpdump that they were getting "DNS Refused", but that wasn't enough to tell them to reconfigure their resolver. Using iptables to tell it the host isn't there seems to be working rather better. I've taken to emailing the IP range owner (these email addresses must work: the IP registries get upset when they don't!). This also seems to stop things. On the most recent ones, I've asked them to also tell whoever they got the address. Slowly but surely. If I get bored of this, I will be setting up *. to resolve to some black hole. Wade. Q:Is it proper to eat cheeseburgers with your fingers? A:No, the fingers should be eaten separately.
Post #330,568 by drook 7/31/10 12:50:49 PM 7/31/10 12:51:09 PM Reply	Right, like I said ... Cure mental image, annnnnnd ... you're welcome. -- Drew Edited by drook July 31, 2010, 12:51:09 PM EDT Expand All History

Welcome to IWETHEY!