DNS: anything goes?

Wed May 31 00:11:02 UTC 2000

DNS is just a database; as long as the names stay within the syntactic
guidelines, they are "allowed". Blaming DNS for allowing malicious MX (or
whatever) records to be advertised is like blaming a piece of paper because
someone scrawled something vulgar and/or hateful on it. If some miscreant
points their MX record at 127.0.0.1, then good mail software should simply
ignore that MX record as if it never existed, since it is "obviously" bogus.
If said miscreant points their MX record at some poor schmuck with which they
have no relationship or permission, then that's a matter between the
perpetrator and the targeted entity: my non-lawyer mind is thinking this might
be construable as some form of Conversion (i.e. using someone else's property
without their permission but falling short of physical incursion which would
otherwise be Trespass) or Nuisance (i.e. the deliberate creation of an
aberrant condition which degrades other people's peaceful enjoyment and/or
quality of life). In neither case is it something that "DNS" or the
BIND software should be trying to enforce, IMO.

- Kevin

Nonny Moose wrote:

> A particularly obnoxious spammer seems to be using, shall we say,
> "eccentric" DNS records...
>
> The domains in question are:
>
> i5.to
> legalforces.com
> poplaunch.com
> qwuest.net
> angelfLre.com
>
> Try for instance:
>
>     dig @nsx.ispfreedom.net i5.to axfr
>
> and check the output (nsx.ispfreedom.net is the authoritative server for
> i5.to). Is this kind of stuff really permitted?
>
> In the same spirit, poplaunch.com and i5.to point to 127.0.0.1:
>
> ; <<>> DiG 8.2 <<>> poplaunch.com
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> ;; QUERY SECTION:
> ;;      poplaunch.com, type = A, class = IN
>
> ;; ANSWER SECTION:
> poplaunch.com.          1M IN A         127.0.0.1
>
> ;; AUTHORITY SECTION:
> poplaunch.com.          1M IN NS        localhost.
>
> ;; ADDITIONAL SECTION:
> localhost.              6d11h1m3s IN A  127.0.0.1
>
> Digging at the authoritative server shows this:
>
> ; <<>> DiG 8.2 <<>> @nsx.ispfreedom.net poplaunch.com axfr
> ; (1 server found)
> $ORIGIN poplaunch.com.
> @                       1M IN SOA       localhost. aisa.aisa.com. (
>                                         958283795       ; serial
>                                         3H              ; refresh
>                                         1H              ; retry
>                                         5D              ; expiry
>                                         1M )            ; minimum
>
>                         1M IN NS        localhost.
>                         1M IN A         127.0.0.1
> www.et185.com.|qj4qf6IsjdGs1xXlIgfsk  1M IN CNAME  angelfire.lycos.com.
> block                   1M IN A         209.235.102.9
> www                     1M IN A         127.0.0.1
> @                       1M IN SOA       localhost. aisa.aisa.com. (
>                                         958283795       ; serial
>                                         3H              ; refresh
>                                         1H              ; retry
>                                         5D              ; expiry
>                                         1M )            ; minimum
>
> aisa.com isn't AFAICT related to the spammer -- it's a site in Switzerland.
>
> Interesting case of DNS abuse...
>
> -N