Is Muddleworks scanning your DNS too?

[David Miller]

On Wed, 27 Nov 2002, Pete Ehlke wrote:

Hi Pete;

Thanks for CC'ing me and giving me a chance to reply.  I don't regularly
read bind-users.


> On Wed, Nov 27, 2002 at 06:43:01AM -0800, Baby Peanut wrote:
> > 
> > We have a few Internet nameservers on different networks hosting
> > different zones.  We get scanned by 207.5.180.138.  It walks through
> > PTR queries incrementing the last octet from 0 to 255 regardless of
> > the rest of the address.
> > 
> > Does it happen to your servers too?
> > 
> > Who is Muddleworks and what do they do?
> > 
> > $ whois -a 207.5.180.138
> > Great Works Internet GWI-BLK-1 (NET-207-5-128-0-1)
> >                                   207.5.128.0 - 207.5.255.255
> > Muddleworks GWI-MUDDLEWORKS-BLK-1 (NET-207-5-180-0-1)
> >                                   207.5.180.0 - 207.5.180.255
> > 
> I've seen this, too. They seem to be building some sort of local
> database of the in-addr.arpa tree, for what purpose I'm not sure.


This is exactly what we're doing.  The purpose is a reverse dns
accelerator for high end web sites who want to resolve log files in
real-time, or resolve log files that are simply too large to handle
now.  An additional use is customization of the web site in real-time
based on the resolved hostname.

There are no security issues here; Muddleworks (MiningWorks, actually) is
only interested in a copy of the published DNS data.

We take great pains to make the scanning as unobtrusive as possible so
that no nameserver or network admins would perceive themselves to be under 
any sort of attack, DoS or otherwise.  We also perform 99.9% of the
scanning during the wee hours, when the network and nameservers are as
idle as possible.

> I'm Cc-ing muddleworks on this message. Folks, walking the in-addr.arpa
> tree like this can be seen as hostile. An explanation posted to
> bind-users at isc.org and a (conspicuously linked) page on your web server
> would probably be a very good PR move...


Well, here's a notice.  A web site is being currently being developed, and
a pointer to a page explaining what's going on will be available soon
through a DNS lookup. MiningWorks is now through the development stage and
beginning the commercialization stage, and additional things will happen
soon to help dealing with DNS administrators.   Specifically:

o A DNS record of some type will be checked to see if scanning is
  not allowed in this space.  This will be the equivilent of a
  "robots.txt" file that web crawlers look for.

o Concise explanations will be posted on the web site detailing
  what is going on, why, and how to create the above record.

o A web form will allow admins to specify that zone transfers will
  be allowed from specified servers.

Yes, it would have been nice to have all these in place when the first
scanning started.  The company, however, was concerned with laying that
many cards on the table before we were ready to deliver the product.

A handful of admins have contacted me offline.  Most had security concerns
that were quickly alleviated.  One cited an "unamed government agency they
were contracted with that would pull the contract if they failed to
investigate".  A few objected on philosophical grounds and were added to a
"Do Not Disturb" list that prevents the automated scanning.

MiningWorks has plans to give back to the Internet community.  We will
be offering a reverse DNS space checker that checks the integrity of the
setup - recursive delegations, lame servers and all.  Admins will be
able to sign up to be notified when anything is found to be amiss in their
space.  Lastly, we will be releasing an open-source version of our DNS
server.  The performance of our in-house version must be seen to be
believed, and it offers the potential for drastically reduced hardware
requirements for sites who have large nameserver installations.

Please feel free to discuss any or all of this, on or off list.


Sincerely,


David Miller