What to do about openDNS

Sten Carlsen ccc2716 at vip.cybercity.dk
Wed Jan 21 09:48:46 UTC 2009 

Are you really sure this is ALL the fault of opendns?

Seems to me that the addition of www. and other such like stuff is the
work of various browsers trying to be helpful to their users. If the
bare domain name does not give an answer, maybe the user was too lazy to
add www., so the browser will try that on his behalf. Search domains in
resolv.conf might also be "helpful".

You could try to point your own browser to use opendns and see how much
traffic one request for some defunct domain gives and try the same with
dig or host.

The solution looks to me to implement some automated script to catch the
domains giving loads of useless traffic and change them to -> 127.0.0.1
or something.


Scott Haneda wrote:
> On Jan 20, 2009, at 7:39 PM, Fr34k wrote:
>
>> Some quick ideas for dealing with, what I will call, defunct domains.
>>
>> FIRST, STOP THE MADNESS:
>> Define what a defunct zone is in your TOS/AUP, so you have the power
>> to deal with this situation as you see fit.
>
> Sure, policy is a good start, and would help.  The trouble is, this
> all takes my time, and in most cases, is for a case in which I am no
> longer making money off the client, so it would be an even larger net
> loss.
>
> Other than the user moving to a new host, and not telling me, leaving
> a record for MX still in place, and email to them for billing getting
> eaten by the local MTA, I really do not care much about a few defunct
> domains.
>
> I have since pointed the MTA to a different NS, and that solves that
> issue.
>
> My biggest problem is in the misconfiguration of openDNS.  I can
> easily handle 1-2 lookups on a defunct domain.  If they cached the
> result, it would be 1-2 per day or so.  That is nothing.
>
> What openDNS is doing, is damn near a DDoS in my opinion.  I am not
> sure the real potential to actually exploit it, but I do believe it is
> there.
>
>> DEAL WITH IT AS YOU SEE FIT:
>> Setup that wildcard for the deadbeatzone.com zone to be:
>> * IN A 127.0.0.1
>> Add this to all the zones for which you do not want to be lame for,
>> but want to answer bogus requests and have that traffic kept, well,
>> locally.
>>
>> Perhaps point any defunct zones A and WWW to be pointed to your
>> commerial web site.
>> For example, www.deadbeats.com is a vhost for www.yourbiz.com
>> Maybe you'll get some more customers, who knows.
>
> More maintenance for me, but a fair suggestion indeed. For one, I can
> use one zone file to cover them all, so not a lot of editing to do.
>
> Is there any way to wildcard the all domains?  I understand how to
> wildcard a specific record in a zone, but I do not want to chase down
> all the domains.  If there is a way to tell named to resolve all
> domains that do not have an explicit zone, then this could be simple
> to solve.
>
> I still would like to know why openDNS does this, what if any
> standards they violate, and why.  If they played by the rules, this
> would be manageable, but 50 hits per second is not friendly.
>
>> FINALLY:
>> I would automate the above process via scripts/tools
>> Customer cancels --> modify zone as you see fit --> audit all zones
>> on a weekly/monthly/whatever basis and cleanup and garbage as necessary.
>
> Agreed and I have some tools in place.  I have 10 or so bash scripts I
> have cobbled together to check authoritativeness, if they are slaved
> or not, etc.
>
> I just have a fundamental issue with resolving for a zone that is
> doing nothing. It does not point to a MX, it does not have http
> services, and I do not entirely like the idea of having a zone for it.
>
>> Also, make it your policy to be the registrar contact (or have access
>> to make changes) and stop this from happening altogether.
>
> Used to be able to do this.  Not any longer.  There are too many
> horror stories about domains getting taken when they should not.  I
> personally do not want the liability to be honest.
>
> Thanks so much for your suggestions.
> -- 
> Scott
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!"

More information about the bind-users mailing list