Hijacking third party DNS servers?

Tim Maestas tmaestas at dnsconsultants.com
Sat Feb 24 00:15:28 UTC 2001 


	It is true to say that any publicly addressed server
	on the internet is free to be queried for a given
	domain if it is advertsied as authoritative for that
	domain.  If you don't like people querying for hosts
	in zones you do not host, do as the quoted excerpt
	sugggests and restrict recursion.  If you are a caching
	only nameserver, and only want your known clients to
	be able to query it, then restrict queries.

-Tim


------------------------------------------
http://www.dnsconsultants.com
DNS and other network consulting
------------------------------------------


On 23 Feb 2001 scheidell at fdma.com wrote:

> Due to the great number of DNS problems, we have been monitoring our DNS
> servers closely.
> 
> What we have started to find, is new 'improved' programs that are
> attempting to use OUR DNS cache for their queries (rather than
> root.servers, or their isp's servers)
> 
> I think this is similar to mail relay rape: you are asking my server to do
> YOUR work: . If you send email to MY host and ask me to relay it to a
> third host, neither of which I own, maintain or have MX records for, it is
> theft of services If you ask MY host to resolve a query for YOU, and I
> don't maintain YOUR host, and I don't provide DNS records for that third
> host, its theft of services (no matter how small)
> 
> If you send a query to my dns server, and I do not host YOU, and I do not
> host the TARGET, then you are asking my server to spend ITS CPU cycles
> looking up information for YOU, when your server is supposed to do the
> same thing.
> 
> Here is an excerpt, I disagree on the 'any server on the ..net is
> available to be touched'
> 
> As far as 'damaging', no, if just ONE person did it, it would not hurt,
> but what about hundreds or thousands doing it?
> 
> "I do disagree with you that it is theft of services to ask a publicly
> addressed DNS server for a simple DNS reply. Any server on the Internet is
> available to be touched as long as it is not malicious or damaging.  What
> we are doing is no different than pinging, and I seriously doubt you would
> say it is "theft" to ping a server once in a while that is open to pings.
> Anyone who doesn't want their DNS server to be queried is free to block
> recursive or other lookups from networks they don't control. This is a
> fact. "
> 
> --
> Michael Scheidell
> Florida Datamation, Inc.
> scheidell at fdma.com / 1+(561) 368-9561
> Internet Security and Consulting
> See updated IT Security News at http://www.fdma.com
> 
> 
>

More information about the bind-users mailing list