nanog mailing list archives
Re: What are these Google IPs hammering on my DNS server?
From: "John R. Levine" <johnl () iecc com>
Date: 4 Dec 2023 22:18:14 -0500
On Mon, 4 Dec 2023, Damian Menscher wrote:
have more redundancy/capacity). Based on these estimates, we haven't treated mitigation of small attacks as a high priority. If O(25Kpps) attacks are causing real problems for the community, I'd appreciate that feedback and some hints as to why your experience differs from the ISC BIND load-tests.
Thanks for your note.Here's my problem, which I freely admit puts me way out at the tail of the weird curve. I run abuse.net which lets you look up abuse reporting addresses for domains. If you look up, say, bt.co.uk or mail.bt.co.uk, it'll look the domain up in its internal database and tell you to send reports to abuse () bt com.
I provide lookups via a web site and a whois server, but it occurred to me a while ago that it'd be much faster for everyone if I made a stunt DNS server that does the lookups and synthesizes the answers, e.g.:
$ dig mail.bt.co.uk.contacts.abuse.net txt ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mail.bt.co.uk.contacts.abuse.net. IN TXT ;; ANSWER SECTION: mail.bt.co.uk.contacts.abuse.net. 43200 IN TXT "abuse () bt com"The DNS server is a perl script I wrote a while ago that synthesizes answers on the fly. It can't be a normal DNS server because the mapping from queries to responses is more complex than you can express with DNS wildcards, and if a domain isn't in the database it returns a default of abuse@<domain>.
I have two servers on two networks and normally it works fine until some nitwit does a query flood, probably looking up every domain in every message they see, or maybe an inept listwasher, and the two little perl scripts just can't keep up.
What I would like is if large public DNS systems like yours refused to look up anything in contacts.abuse.net, and I tell people that if they want to use the DNS lookup, use your own DNS cache, similar to what DNSBLs do.
I suppose I could try and do a split horizon hack on the parent server (abuse.net itself is on ordinary NSD servers) and say the NS for contacts.abuse.net is at 127.0.0.1, but as we've seen it's a challenge keeping track of all the places your queries can come from.
Regards, John Levine, johnl () taugh com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
Current thread:
- Re: What are these Google IPs hammering on my DNS server?, (continued)
- Re: What are these Google IPs hammering on my DNS server? Mike Hammett (Dec 03)
- Re: What are these Google IPs hammering on my DNS server? Tom Samplonius (Dec 03)
- Re: What are these Google IPs hammering on my DNS server? John R. Levine (Dec 03)
- Re: What are these Google IPs hammering on my DNS server? Peter Potvin via NANOG (Dec 03)
- Re: What are these Google IPs hammering on my DNS server? John R. Levine (Dec 03)
- RE: What are these Google IPs hammering on my DNS server? Michael Hare via NANOG (Dec 03)
- RE: What are these Google IPs hammering on my DNS server? John R. Levine (Dec 03)
- Re: What are these Google IPs hammering on my DNS server? Mark Andrews (Dec 03)
- Re: What are these Google IPs hammering on my DNS server? John R. Levine (Dec 03)
- Re: What are these Google IPs hammering on my DNS server? Damian Menscher via NANOG (Dec 04)
- Re: What are these Google IPs hammering on my DNS server? John R. Levine (Dec 04)
- RE: What are these Google IPs hammering on my DNS server? Michael Hare via NANOG (Dec 05)
- Re: What are these Google IPs hammering on my DNS server? Ray Bellis (Dec 05)
- Re: What are these Google IPs hammering on my DNS server? Christopher Morrow (Dec 05)
- Re: What are these Google IPs hammering on my DNS server? Ray Bellis (Dec 05)
- Re: What are these Google IPs hammering on my DNS server? John R. Levine (Dec 03)