What to do about openDNS

Scott Haneda talklists at newgeo.com
Wed Jan 21 08:21:30 UTC 2009 

On Jan 20, 2009, at 7:39 PM, Fr34k wrote:

> Some quick ideas for dealing with, what I will call, defunct domains.
>
> FIRST, STOP THE MADNESS:
> Define what a defunct zone is in your TOS/AUP, so you have the power  
> to deal with this situation as you see fit.

Sure, policy is a good start, and would help.  The trouble is, this  
all takes my time, and in most cases, is for a case in which I am no  
longer making money off the client, so it would be an even larger net  
loss.

Other than the user moving to a new host, and not telling me, leaving  
a record for MX still in place, and email to them for billing getting  
eaten by the local MTA, I really do not care much about a few defunct  
domains.

I have since pointed the MTA to a different NS, and that solves that  
issue.

My biggest problem is in the misconfiguration of openDNS.  I can  
easily handle 1-2 lookups on a defunct domain.  If they cached the  
result, it would be 1-2 per day or so.  That is nothing.

What openDNS is doing, is damn near a DDoS in my opinion.  I am not  
sure the real potential to actually exploit it, but I do believe it is  
there.

> DEAL WITH IT AS YOU SEE FIT:
> Setup that wildcard for the deadbeatzone.com zone to be:
> * IN A 127.0.0.1
> Add this to all the zones for which you do not want to be lame for,  
> but want to answer bogus requests and have that traffic kept, well,  
> locally.
>
> Perhaps point any defunct zones A and WWW to be pointed to your  
> commerial web site.
> For example, www.deadbeats.com is a vhost for www.yourbiz.com
> Maybe you'll get some more customers, who knows.

More maintenance for me, but a fair suggestion indeed. For one, I can  
use one zone file to cover them all, so not a lot of editing to do.

Is there any way to wildcard the all domains?  I understand how to  
wildcard a specific record in a zone, but I do not want to chase down  
all the domains.  If there is a way to tell named to resolve all  
domains that do not have an explicit zone, then this could be simple  
to solve.

I still would like to know why openDNS does this, what if any  
standards they violate, and why.  If they played by the rules, this  
would be manageable, but 50 hits per second is not friendly.

> FINALLY:
> I would automate the above process via scripts/tools
> Customer cancels --> modify zone as you see fit --> audit all zones  
> on a weekly/monthly/whatever basis and cleanup and garbage as  
> necessary.

Agreed and I have some tools in place.  I have 10 or so bash scripts I  
have cobbled together to check authoritativeness, if they are slaved  
or not, etc.

I just have a fundamental issue with resolving for a zone that is  
doing nothing. It does not point to a MX, it does not have http  
services, and I do not entirely like the idea of having a zone for it.

> Also, make it your policy to be the registrar contact (or have  
> access to make changes) and stop this from happening altogether.

Used to be able to do this.  Not any longer.  There are too many  
horror stories about domains getting taken when they should not.  I  
personally do not want the liability to be honest.

Thanks so much for your suggestions.
--
Scott

More information about the bind-users mailing list