Excessive query by open DNS
Scott Haneda
talklists at newgeo.com
Fri Oct 10 22:41:51 UTC 2008
I have read all your responses, and appreciate the help on this one.
I have a few questions still.
Is returning non publicly routable addresses such as 192. and 127. etc
in the public side of DNS allowed? I read once it was generally
frowned upon, but am not sure it is technically in violation of any RFC.
I consider this issue with openDNS to be a vulnerability, and a DDoS
vector, correct me if I am wrong. OpenDNS can generate, in my tests,
around 70 queries per second to my NS. The qualifications are that my
NS be the SOA, but not have any zone data loaded. Open DNS asks for
whatever you request, and then asks again, and again, and again.
I can run curl host.com --timeout 9999 and that will hit my NS really
hard. OpenDNS is a large operation, handling I hear, millions of
queries in very short time. Many people use them as well.
A mere few hundred bots, or just a few hundred script kids, with their
resolver pointed to open DNS, and a public NS they do not like, is all
it would take to take that public NS down. I know my machine can not
handle 50,000 queries per second, and I know most of the rest of the
NS's out there can not either. Even Comcast is overloaded. How much
would it really take to put a burden on even a large ISP like comcast.
While I could block openDNS by their two IP's, so many people use
them, I think this behavior would be as bad as theirs.
I do not think I should have to add zones for domains I do not want
to, and putting a * record in place just to patch them is nothing I
want to do on a full time basis.
Anyone can register a domain, anyone can put any NS into the DNS
server field at their registrar.
I have contacted openDNS, their first reply was to tell me the problem
was resolved. I suspect since I mentioned a specific domain, they
simply refreshed the zone. They did not take the time to read my
entire report to them. I have now replied twice, asking for
clarification, and providing another example. I have not received
reply in 2 days. As far as I can tell, the ticket is now closed.
Do you agree with me, this is clearly bad behavior? As long as I am
not off my rocker in my thoughts, I will pursue this to get it fixed.
If I am off base, let me know, and I will consider this normal
behavior, even though I think it is strange.
--
Scott
More information about the bind-users
mailing list