Screwy authoritative servers
Kevin Darcy
kcd at daimlerchrysler.com
Tue Apr 24 02:41:43 UTC 2001
My guess is that they just search the Net for nameservers which have
recursion open and list those servers in their delegation records. Then
they poke those servers periodically to ensure that the answer for
"www.credit---cards.net" or whatever is always in their cache. If one
server breaks this scheme by restricting recursion, then they just find
another and update their delegations accordingly. As long as the answer is
in most of the caches at any given time, the scheme will work.
Disgusting.
The way to break these folks is for all of those delegated nameservers to
actually *define* their own credit---cards.net zone. They could just simply
have an *empty* zone, or they could put malicious content in there (e.g. an
A record for a website which denounces spammers). BIND 9's "view" mechanism
could probably be employed to fool the spammer into thinking that the
scheme was working even if wasn't (i.e. put the spammer's source IPs in a
separate, deluded "view" of the zone)... :-)
- Kevin
John Oliver wrote:
> credit---cards.net
>
> Every time I look up the authoritative servers, I get ~12, several
> change each time, and none actually are authoritative. But I can
> nslookup www.credit---cards.net every time with no problem. This is a
> spammer trying to hide their ISP to avoid LARTs. I'm very interested in
> *how* this is accomplished so I can drop a bomb on them next time... :-)
>
> --
> John Oliver, System Administrator http://www.allegiancetele.com
> ConnectNet, an Allegiance Telecom company http://www.connectnet.com
> 6370 Lusk Blvd. Ste F103 (858) 638-2020
> San Diego, CA. 92121 FAX: (858) 623-1505
More information about the bind-users
mailing list