Slowing down bind answers ?

Timothe Litt litt at acm.org
Sun Jan 5 13:25:08 UTC 2014 

   On 04-Jan-14 14:58, Nicolas C. wrote:
> On 03/01/2014 18:00, WBrown at e1b.org wrote:
>> From: Mark Andrews <marka at isc.org>
>>> After that specify a final date for them to fix their machines by
>>> after which you will send NXDOMAIN responses.  Sometimes sending a
>>> poisoned reponse is the only way to get peoples attention.
>>>
>>> zone "." {
>>>     type master;
>>>     file "empty";
>>> };
>>>
>>> empty:
>>> @ 0 IN SOA . stop.using.this.nameserver 0 0 0 0 0
>>> @ 0 IN NS .
>>> @ 0 IN A 127.0.0.1
>>
>> Or really mess with them and answer all A queries with 199.181.132.249
>
> It's not a bad idea. I could wildcard all requests to an internal HTTP 
> server saying that the DNS configuration of the client is deprecated.
>
>
Which is great until someone tries to send e-mail, ftp a file, lookup a 
SIP server - or any other service.  Do any clients rely on SIP for 
emergency telephone service?  (VoIP phones, softphones, building alarms 
among others)

DNS redirection is evil - and tricky; the world is not just DNS and HTTP 
from a user's desktop/notebook.

To get people's attention, NXDOMAIN to www.* queries is often reasonably 
safe.  Embedded systems are another story.  (Elevators, HVAC 
controllers, security systems, routers, ...)

Think about the all consequences in your environment.  Do you want to be 
responsible if someone can't make an emergency call?  Someone who has 
been out on leave?  Someone stuck in an elevator?

It may be better to simply alias (if necessary, route) the old IP 
address(es) to the new server.  That way you can manage the 
notifications and consequences on a per-service basis.

You can also turn on query logging (which helps slow down the old 
server) - and use the logs to backtrack to the machines that need to be 
reconfigured.  Scripts can send an e-mail daily with a warning and 
instructions on how to reconfigure.  If you have the ownership data, 
scripts can escalate to a manager/sponsor if ignored. Hopefully this 
will get you down to a manageable list of miscreants that require manual 
follow-up.

Redirecting to disney.com is a fine humorous response - but I'd be very 
careful about taking it - or similar - action seriously. Running DNS is 
a serious responsibility.

Whatever transition plan you adopt needs to fit your circumstances and 
manage all the risks.  A 'simple' plan might work for you - or it might 
not.

The risks of draconian operations to encourage migration are a lot 
larger than they were in years past.

-- 
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140105/c2cdaa52/attachment.bin>

More information about the bind-users mailing list