What to do about openDNS

Wed Jan 21 02:12:28 UTC 2009

I brought this up a few months back.  For me, it is getting worse, and  
I am not able to come up with a solution.

I have many clients who reg domains.  They all point to my NS.   
Sometimes, the client lapses hosting with me, and I delete the zones.   
They usually leave the domain reg'd and my NS's listed.

I also have other clients who register thousands of domains, some get  
used, some do not.  In the end, I am listed as an NS.  Going back to  
clients and asking them to delete the NS from their registrar; it just  
is not going to happen. I do not always know, so to add a zone, can  
not happen, and even then, I have to add a wildcard for them all to  
resolve them.

I have heard varying levels of disapproval for wildcards to solve this  
as well.

The problem is with openDNS, which grows every day.  If one uses them  
as a rr, when someone requests a domain that is not setup, openDNS  
will make around 50 requests for that domain.  Then the browser will  
inject www. to the domain, and it asks for another 50.  Add in spam  
for MX's and any number of other requests, and I have on average, 40  
queries per second.

When it gets really bad, is a heavily used domain that the client lets  
go, where there are img src links in a forum, which can get popular on  
occasion.

I have tested this with my own NS, as the rr, and it makes 2 or 3  
queries, sees there is no zone, and goes away.  OpenDNS *never* caches  
the result, and happily goes about this all day long.

My first question is, I assume they are ignoring some TTL, and in  
doing so, are they in violation of any standard in this regard?

Second would be, is this exploitable as I think it is?  In that, one  
could enter any NS they want into their registrar, and create a  
situation in which openDNS is used as a way to attack that NS.

Is there any way for me to locally block this act?  I do not think  
there is, aside from blocking openDNS, which would have negative  
repercussions since they are used by so many people.  Looking for  
automated blocking, not to sit on my logs all day long.

For what it is worth, I did email them, first email was ignored,  
second email was not understood and they told me they did not support  
grep, which I was simply using to extract the number of lines in my  
log to show them the issue.  My reply to that, was ignored as well.

To be honest, if I wanted to make named behave this way, I would not  
even know how to do so, I would certainly have to take effort to try.

This represent the last 4 hours of my query log, for one domain that  
is not even the best example.  I have my logs set to 10M, and this  
case already caused a roll of the logs in only 4 hours:
grep -i 'juliansummerhill.com' query.log | wc -l
     1289

Thanks for any pointers and eduction on this issue.
--
Scott