Home page logo

nanog logo nanog mailing list archives

Re: DNS contamination
From: dvv () sprint net (Dima Volodin)
Date: Thu, 23 Jan 1997 15:51:57 -0500 (EST)

Ignoring additional records works pretty well for me.

Otherwise, the beast is out there, and we cannot do much except waiting
for it to die slowly.

For those who wonder what is so special about these addresses - they
were SprintLink's DNS servers' around Wilhelm the Conqueror's time or
shortly after that. Apparently, some clueless admins have these
addresses as bogus glue records in their zones and use vintage named
versions that allow them to do that. Once leaked out in additional
sections of DNS responses, these bogus records end up in other servers'
caches, which in turn try to use these addresses to resolve queries for
names for which SprintLink's servers are claimed to be authoritative.
In two hours about 400 servers tried to use hrn-cat-2.sprintlink.net (a
Catalyst something) as a name server.

Paul A Vixie writes:

I have done, algorithmically, everything that can be done at that level.
At this point we are going to have to wait for DNSSEC or some other wire
protocol change.  If you have suggestions to the contrary I would like
to hear them.  (And if you have money to pay for BIND improvements I would
like to hear about that, too.)

- - - - - - - - - - - - - - - - -

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]