Redirect only second and third level domains

Warren Kumari warren at kumari.net
Fri Feb 24 15:05:15 UTC 2017 

Yeah, what you are describing is NXDomain rewriting -- it turns out to
be a really bad idea.

Here are some initial documents decribing why:
https://www.icann.org/en/system/files/files/sac-032-en.pdf -- ICANN
Security and Stability Advisory Committee SAC 032 Preliminary Report
on DNS Response Modification

http://www.icsi.berkeley.edu/pubs/networking/redirectingdnsforads11.pdf
-- Redirecting DNS for Ads and Profit


It breaks all sorts of things, creates security risks, and ends up
confusing customers. Just don't do it...

W

On Fri, Feb 24, 2017 at 9:50 AM, /dev/rob0 <rob0 at gmx.co.uk> wrote:
>> Il 23/02/2017 20:38, Warren Kumari ha scritto:
>> > What are you actually trying t odo?
>
> On Fri, Feb 24, 2017 at 09:42:17AM +0100, Andrea Gabellini wrote:
>> the server is a resolver for about 20K clients. My goal is to
>> supply a courtesy page if a domain is not found. For every domain.
>
> Ugh.  You call it a courtesy, I call it ignorant and abusive.
>
>> A query for abc.example.com or example.com (and these do not
>> exist) has to receive the address of the courtesy web server.
>>
>> A query for xyz.abc.example.com (and this do not exists), have
>> to receive NXDOMAIN.
>>
>> This is a workaround for queries made to the dnsbl services like
>> spamhaus.org or mailspike.org, where the queries are of type
>> "4.3.2.1.zen.spamhaus.org". If the redirect is for all levels of
>> the domain, there is a response and the antispam system thinks
>> that this IP is in blacklist.
>
> No.
>
> A mail server needs clean DNS, no NXDOMAIN hijacking at all.  Such
> as, if a user submits mail to somewhere at invalid.example, the MTA
> needs to know that "invalid.example" is NXDOMAIN.
>
> It's one thing, if you're trying to be "courteous" to ordinary
> web-only users; it is quite different when you are serving DNS to
> servers of various kinds.  Your customers WILL be calling to
> complain.
>
> Perhaps you should offer a clean nameserver for business and static
> IP address customers?  Inform them and advise them to change before
> you implement your "courteous" NXDOMAIN abuse?
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

More information about the bind-users mailing list