Slowing down bind answers ?
Timothe Litt
litt at acm.org
Sun Jan 5 13:25:08 UTC 2014
On 04-Jan-14 14:58, Nicolas C. wrote:
> On 03/01/2014 18:00, WBrown at e1b.org wrote:
>> From: Mark Andrews <marka at isc.org>
>>> After that specify a final date for them to fix their machines by
>>> after which you will send NXDOMAIN responses. Sometimes sending a
>>> poisoned reponse is the only way to get peoples attention.
>>>
>>> zone "." {
>>> type master;
>>> file "empty";
>>> };
>>>
>>> empty:
>>> @ 0 IN SOA . stop.using.this.nameserver 0 0 0 0 0
>>> @ 0 IN NS .
>>> @ 0 IN A 127.0.0.1
>>
>> Or really mess with them and answer all A queries with 199.181.132.249
>
> It's not a bad idea. I could wildcard all requests to an internal HTTP
> server saying that the DNS configuration of the client is deprecated.
>
>
Which is great until someone tries to send e-mail, ftp a file, lookup a
SIP server - or any other service. Do any clients rely on SIP for
emergency telephone service? (VoIP phones, softphones, building alarms
among others)
DNS redirection is evil - and tricky; the world is not just DNS and HTTP
from a user's desktop/notebook.
To get people's attention, NXDOMAIN to www.* queries is often reasonably
safe. Embedded systems are another story. (Elevators, HVAC
controllers, security systems, routers, ...)
Think about the all consequences in your environment. Do you want to be
responsible if someone can't make an emergency call? Someone who has
been out on leave? Someone stuck in an elevator?
It may be better to simply alias (if necessary, route) the old IP
address(es) to the new server. That way you can manage the
notifications and consequences on a per-service basis.
You can also turn on query logging (which helps slow down the old
server) - and use the logs to backtrack to the machines that need to be
reconfigured. Scripts can send an e-mail daily with a warning and
instructions on how to reconfigure. If you have the ownership data,
scripts can escalate to a manager/sponsor if ignored. Hopefully this
will get you down to a manageable list of miscreants that require manual
follow-up.
Redirecting to disney.com is a fine humorous response - but I'd be very
careful about taking it - or similar - action seriously. Running DNS is
a serious responsibility.
Whatever transition plan you adopt needs to fit your circumstances and
manage all the risks. A 'simple' plan might work for you - or it might
not.
The risks of draconian operations to encourage migration are a lot
larger than they were in years past.
--
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140105/c2cdaa52/attachment.bin>
More information about the bind-users
mailing list