Search Again: Lame delegatation From: Peter Lalor Date: Saturday, June 30, 2001 Time: 4:32:40 pm We recently noticed heavy usage to our primary QDNS server. Upon increasing the logging level this turned out to be a lot of this: Jun 29 15:08:04 Query: "www.projectsphere.com." - requested from "62.138.1.148:3385" <snip 20 lines> Jun 29 15:08:04 Query: "www.projectsphere.com." - requested from "62.138.1.148:1086" An average of 22 queries/sec., from two different source ports. Upon investigation we found that although whois for projectsphere.com lists our servers as authoritative, we've never heard of it. This raises some questions: 1) Is the normal failure mode for a lame delegation to ask again many times a second? 1a) If so, it would seem that this could be a way to DoS a DNS. 1b) If not, any theories on why this would be? 2) Is it possible to do whois for every zone that Internic shows that a given NS hosts? I'd like to audit their records for other lame delegations and get them removed. 2a) How about other registrars? 2b) Has anyone handled this sort of thing in batch before? Any tips on dealing with NIC(s)? In the meantime we've dropped this traffic at the router and filed an abuse report with the source. -- Peter Lalor Infoasis plalor@infoasis.com The San Francisco Bay Area's Macintosh 415-459-7991 Consultant and Internet Service Provider 415-459-7992 fax http://www.infoasis.com/

Messages In This Thread: Lame delegatation by Peter Lalor on Jun 30, 2001 at 4:32:40 pm Re: Lame delegatation by Aaron Lynch on Jun 30, 2001 at 8:48:43 pm