What to do about openDNS

Fr34k freaknetboy at yahoo.com
Wed Jan 21 03:39:13 UTC 2009 

Hello,

The ole rainy day bite.

Some quick ideas for dealing with, what I will call, defunct domains.

FIRST, STOP THE MADNESS:
Define what a defunct zone is in your TOS/AUP, so you have the power to deal with this situation as you see fit.

DEAL WITH IT AS YOU SEE FIT:
Setup that wildcard for the deadbeatzone.com zone to be:
* IN A 127.0.0.1
Add this to all the zones for which you do not want to be lame for, but want to answer bogus requests and have that traffic kept, well, locally.

Perhaps point any defunct zones A and WWW to be pointed to your commerial web site.
For example, www.deadbeats.com is a vhost for www.yourbiz.com
Maybe you'll get some more customers, who knows.

FINALLY:
I would automate the above process via scripts/tools
Customer cancels --> modify zone as you see fit --> audit all zones on a weekly/monthly/whatever basis and cleanup and garbage as necessary.

Also, make it your policy to be the registrar contact (or have access to make changes) and stop this from happening altogether.




----- Original Message ----
From: Scott Haneda <talklists at newgeo.com>
To: BIND Users Mailing List <bind-users at lists.isc.org>
Sent: Tuesday, January 20, 2009 9:12:28 PM
Subject: What to do about openDNS

I brought this up a few months back.  For me, it is getting worse, and I am not able to come up with a solution.

I have many clients who reg domains.  They all point to my NS.  Sometimes, the client lapses hosting with me, and I delete the zones.  They usually leave the domain reg'd and my NS's listed.

I also have other clients who register thousands of domains, some get used, some do not.  In the end, I am listed as an NS.  Going back to clients and asking them to delete the NS from their registrar; it just is not going to happen. I do not always know, so to add a zone, can not happen, and even then, I have to add a wildcard for them all to resolve them.

I have heard varying levels of disapproval for wildcards to solve this as well.

The problem is with openDNS, which grows every day.  If one uses them as a rr, when someone requests a domain that is not setup, openDNS will make around 50 requests for that domain.  Then the browser will inject www. to the domain, and it asks for another 50.  Add in spam for MX's and any number of other requests, and I have on average, 40 queries per second.

When it gets really bad, is a heavily used domain that the client lets go, where there are img src links in a forum, which can get popular on occasion.

I have tested this with my own NS, as the rr, and it makes 2 or 3 queries, sees there is no zone, and goes away.  OpenDNS *never* caches the result, and happily goes about this all day long.

My first question is, I assume they are ignoring some TTL, and in doing so, are they in violation of any standard in this regard?

Second would be, is this exploitable as I think it is?  In that, one could enter any NS they want into their registrar, and create a situation in which openDNS is used as a way to attack that NS.

Is there any way for me to locally block this act?  I do not think there is, aside from blocking openDNS, which would have negative repercussions since they are used by so many people.  Looking for automated blocking, not to sit on my logs all day long.

For what it is worth, I did email them, first email was ignored, second email was not understood and they told me they did not support grep, which I was simply using to extract the number of lines in my log to show them the issue.  My reply to that, was ignored as well.

To be honest, if I wanted to make named behave this way, I would not even know how to do so, I would certainly have to take effort to try.

This represent the last 4 hours of my query log, for one domain that is not even the best example.  I have my logs set to 10M, and this case already caused a roll of the logs in only 4 hours:
grep -i 'juliansummerhill.com' query.log | wc -l
    1289

Thanks for any pointers and eduction on this issue.
--
Scott

_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list