Return a default record for invalid requests (non existent domain).

Sun Sep 8 00:59:46 UTC 2002

Do you really mean that someone registered your nameservers as
authorative for a domain or do you mean that someone has used your
nameservers to lookup addresses meaning that your are allowing
recursion for external users.

If the latter, you should use the allow-recursion clause to limit recursion
to your own clients and they can only look up addresses for domains
for which you have authority. You can also use the allow-query option
to prevent specific addresses using your server at all or blackhole them.

If the former, you should ontact the owners of the domain and tell them
that you charge real money to host domains on your nameserver.
Frankly I doubt that they meant to point to your servers for their domains
otherwise they would never get a response to any query for their domain.

What domain names are we talking about and what example queries are
you getting?

Danny
At 07:22 PM 9/4/02, Robert Messinger wrote:

>So does this mean I can return a default record?
>I didn't want to create a zone file for each domain.
>
>Can BIND do this?
>
>
>
>
>
>On Thu, 5 Sep 2002 Mark_Andrews at isc.org wrote:
>
> >
> > >
> > > Robert Messinger wrote:
> > >
> > > > I have had many people throw their NS records on our DNS servers.
> > > > Just to either park them or to kill off old links and requests.
> > > >
> > > > But since the domains do not exist on my nameserver they are
> > > > getting slammed my these invalid requests (and I don't believe
> > > > the negative response is cached since the domain does not exist).
> > > >
> > > > In BIND is it possible to return a default record for domains which
> > > > do not exist on the system?  Is it even legal to give back an
> > > > answer?  (I feel like sending everyone to a porn site or something.)
> > > > It's bandwidth to our systems so I believe I can return whatever I want
> > > > but I may be wrong here.  But there are over 500,000 invalid requests
> > > > a day for some domains.
> > >
> > > My opinion is: if someone points an NS to my nameserver, they are giving
> > > me authority to return whatever I want for queries in that domain.
> > >
> > > I don't know if the law agrees with me on this, though. I suspect that
> > > there is a conspicuous lack of legal precedent in this area. Do you feel
> > lucky?
> > >
> > >
> > > - Kevin
> >
> >       Well registrars *should* be checking before changing NS
> >       records that the organization hosting the new nameservers
> >       approves of the change.  Make sure you havn't given blanket
> >       approval in the past.
> >
> >       You should complain the the registrar that approved the change
> >       without first verifying the change was valid.  You should get
> >       them to remove the offending NS records.
> >
> >       Note: it might take a law-suit or two before they all get
> >       the idea that blindly changing NS records to point to third
> >       party servers is wrong.  It would be nice to think that one
> >       wouldn't have to go down that path but I expect that it
> >       will need a test case given history.  Before going down
> >       this path be 100% sure that it is not your own screw up and
> >       consult a lawyer.
> >
> >       Mark
> > --
> > Mark Andrews, Internet Software Consortium
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> >