Stopping name server abuse
Paul Kosinski
bind at iment.com
Tue Jun 26 22:28:37 UTC 2018
Most of your replies seem not to address the (immediately
preceding) paragraph they appear to be responding to.
On Mon, 25 Jun 2018 22:15:07 +0200
Reindl Harald <h.reindl at thelounge.net> wrote:
>
>
> Am 25.06.2018 um 22:01 schrieb Paul Kosinski:
> > Somebody who has irresponsibly (and apparently wantonly, given his
> > refusal to fix it) delegated his domain(s) to your DNS server is
> > essentially causing a (modest bandwidth) distributed denial of
> > service attack on your server. I don't think that the "responsible"
> > thing to do is to sit there and suffer from a significantly
> > increased load.
>
> no, but you proposed timeout don't change that anyways
> it makes things only worser
>
> if you have noticeable increased load in real life becuase of some
> domains you no longer want to host on a nameserver you are lost
> anyways and calling that a distributed denial of service is a joke
>
> > What should be done is to get the domain(s) revoked if the owner
> > continues to refuse to remedy the problem: it is *he*, not you, who
> > is being irresponsible.
>
> if you make things worser for everyone without any gain *you are*
> irresponsible because you don't understand the outcome of your actions
> like funny timeouts
>
> > And if the queries are coming via an innocent
> > ISP's resolver, then they are inadvertently assisting in the attack,
> > and should be contacted and asked to help in the remediation. (Note
> > that *their* resources, as well as yours, are being wasted.)
>
> you will contact every ISP and resolver admin out there?
> seriously?
> and ask them to do what exactly?
>
> if you call me and tell me your story about domains pointing to your
> nameserver and why we as ISP don#t stop asking the response you
> deserve is not allowed legally
>
> the question was how to reduce the load and your answers where how to
> increase load and make things worser for everybody and things much
> complexer - the only correct way to get this *finally* resolved is
> force the registry of the domain to remove your nameservers and
> that's it instead of calling innocent parties or playing technical
> games with no gain
More information about the bind-users
mailing list