SPAMMER/SECURITY: Can we block unconfigured zones in bind 8?
A. M. Salim
salim at localweb.com
Fri May 18 14:29:14 UTC 2001
Hi all,
Anyone know if one can block queries for unconfigured zones in bind 8 (or
for that matter in bind 9).
We are running bind 8.2.3-REL and have in interesting situation. Not a
break-in or anything like that (so upgrading to 8.2.4 for example is not
an answer). A spammer has decided to register our DNS along with half a
dozen others for his spamming domains. Of course, we do not have any zone
files or A records for his domains, and nor do any of the other
nameservers - all except one that is. He has a few DSL lines and is
running a nameserver on that DSL line, which he switches on only
momentarily (say once every few hours), long enough to "prime" the other
"hijacked" nameservers by running a query against them. Then he
disconnects his true DNS and the other "zombies" now happily respond to
queries against his domains via their cache.
see the WHOIS lookup for any of the following for example:
wesatisfy.net, 4creditcards.net, credit---cards.net, herbal-viagras.com,
herbal--life.com, 4impulse.com
His real DNS is MOR.I74.ORG as far as we can tell, the rest are zombies.
Note that we have no way of preventing someone from registering their
domain against our nameserver. Complaining to the registrar is all you
can do, and you are at the registrar's mercy (and deaf ear). None of you
can protect yourself against this either until ICANN leans on the
deaf/unresponsive registars.
Also note that the spammer has not broken into any of the servers and does
not need to. He is relying on standard published bind behaviour, not a
buffer overflow or anything like that. Easy as pie. Soon other spammers
will learn of this trick, so it may happen to you too sooner or later .
Also note that we could set up dummy or false "A" records and install
these zones, thereby canceling out the spammer's cache-fooling exercise.
The problem is that (a) we would only be able to do this when we learn we
have been used in this manner through complaints i.e. "after the fact",
(b) we would now be agreeing to be authorative nemservers for this spammer
albeit with bad info but from a legal/moral standpoint that is splitting
hairs, and (c) the spammer would quickly find out we did this and probably
want to wreak vengeance on us which we do not wish to invite.
Ideally we want our nameservers to reject any domains that are not
configured in our zone files.
HELP!!!!!
best regards
Mike
More information about the bind-users
mailing list