What to do about openDNS
Scott Haneda
talklists at newgeo.com
Wed Jan 21 08:21:30 UTC 2009
On Jan 20, 2009, at 7:39 PM, Fr34k wrote:
> Some quick ideas for dealing with, what I will call, defunct domains.
>
> FIRST, STOP THE MADNESS:
> Define what a defunct zone is in your TOS/AUP, so you have the power
> to deal with this situation as you see fit.
Sure, policy is a good start, and would help. The trouble is, this
all takes my time, and in most cases, is for a case in which I am no
longer making money off the client, so it would be an even larger net
loss.
Other than the user moving to a new host, and not telling me, leaving
a record for MX still in place, and email to them for billing getting
eaten by the local MTA, I really do not care much about a few defunct
domains.
I have since pointed the MTA to a different NS, and that solves that
issue.
My biggest problem is in the misconfiguration of openDNS. I can
easily handle 1-2 lookups on a defunct domain. If they cached the
result, it would be 1-2 per day or so. That is nothing.
What openDNS is doing, is damn near a DDoS in my opinion. I am not
sure the real potential to actually exploit it, but I do believe it is
there.
> DEAL WITH IT AS YOU SEE FIT:
> Setup that wildcard for the deadbeatzone.com zone to be:
> * IN A 127.0.0.1
> Add this to all the zones for which you do not want to be lame for,
> but want to answer bogus requests and have that traffic kept, well,
> locally.
>
> Perhaps point any defunct zones A and WWW to be pointed to your
> commerial web site.
> For example, www.deadbeats.com is a vhost for www.yourbiz.com
> Maybe you'll get some more customers, who knows.
More maintenance for me, but a fair suggestion indeed. For one, I can
use one zone file to cover them all, so not a lot of editing to do.
Is there any way to wildcard the all domains? I understand how to
wildcard a specific record in a zone, but I do not want to chase down
all the domains. If there is a way to tell named to resolve all
domains that do not have an explicit zone, then this could be simple
to solve.
I still would like to know why openDNS does this, what if any
standards they violate, and why. If they played by the rules, this
would be manageable, but 50 hits per second is not friendly.
> FINALLY:
> I would automate the above process via scripts/tools
> Customer cancels --> modify zone as you see fit --> audit all zones
> on a weekly/monthly/whatever basis and cleanup and garbage as
> necessary.
Agreed and I have some tools in place. I have 10 or so bash scripts I
have cobbled together to check authoritativeness, if they are slaved
or not, etc.
I just have a fundamental issue with resolving for a zone that is
doing nothing. It does not point to a MX, it does not have http
services, and I do not entirely like the idea of having a zone for it.
> Also, make it your policy to be the registrar contact (or have
> access to make changes) and stop this from happening altogether.
Used to be able to do this. Not any longer. There are too many
horror stories about domains getting taken when they should not. I
personally do not want the liability to be honest.
Thanks so much for your suggestions.
--
Scott
More information about the bind-users
mailing list