[dns-operations] blocking recursers

Ondřej Surý ondrej.sury at nic.cz
Mon Mar 27 15:14:59 UTC 2006 

On Mon, 2006-03-27 at 10:23 +0200, Stephane Bortzmeyer wrote:
> On Thu, Mar 23, 2006 at 12:28:28PM +0100,
>  Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
>  a message of 24 lines which said:
> 
> > Advice to everyone on the list, including myself: educate, spread
> > the news, teach, inform DNS administrators. For instance, AFNIC is
> > *considering* sending a warning to each of its registrars about ORNs
> > but it has not been done yet. So, it would be harsh if we suddenly
> > started to blacklist ORNs.
> 
> A survey I just ran over the nameservers of ".fr" show that 63 % of
> them are also ORN, which is quite worrying (and authoritative
> nameservers of a TLD are not the only ORN in the wild).

Numbers of unique IP addresses of nameservers in .CZ grouped by fpdns
output, quite terrifying, isn't it?:

   2538 BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]
   1181 BIND 9.2.0rc7 -- 9.2.2-P3 [recursion enabled]
    877 BIND 9.2.3rc1 -- 9.4.0a0
    598 q0tq0tq7tq6r?query timed out
    533 BIND 8.3.0-RC1 -- 8.4.4 [recursion enabled]
    417 Microsoft Windows 2000
    405 Microsoft Windows 2003
    349 BIND 9.2.0rc7 -- 9.2.2-P3
    324 TinyDNS 1.05
    183 BIND 8.1-REL -- 8.2.1-T4B [recursion enabled]
    166 BIND 8.3.0-RC1 -- 8.4.4
    133 PowerDNS 2.9.4 -- 2.9.11
    130 BIND 8.3.0-RC1 -- 8.4.4 [recursion local]
     79 MyDNS
     79 BIND 9.1.0 -- 9.1.3 [recursion enabled]
     76 PowerDNS 2.8 -- 2.9.3
     60 BIND 4.9.3 -- 4.9.11
     59 Microsoft Windows NT4
     56 BIND 8.2.2-P3 -- 8.3.0-T2A [recursion enabled]
     42 q0tq0r?1,IQUERY,0,0,1,1,0,0,NOTIMP,0,0,0,0
     38 BIND 8.2.2-P3 -- 8.3.0-T2A
     33 simple DNS plus [recursion enabled]
     32 BIND 9.2.0rc7 -- 9.2.2-P3 [recursion local]
     23 q0r?question section incomplete
     20 BIND 8.2.2-P3 -- 8.3.0-T2A [recursion local]
     18 NSD 1.2.3
     17 simple DNS plus
     17 BIND 9.1.0 -- 9.1.3
     15 q0r5q1r?query timed out
     12 BIND 9.2.0a1 -- 9.2.2-P3 [recursion enabled]
     11 q0r5q1r18q5r?1,IQUERY,1,0,1,1,1,1,NOTIMP,0,0,0,0
     10 q0tq0r?1,IQUERY,0,0,1,0,0,0,NOTIMP,0,0,0,0
     10 q0r4q1r21q2r?query timed out

Same numbers, but per zone (so it looks like that bigger players have
correctly configured their bind):

 150709 BIND 9.2.3rc1 -- 9.4.0a0
 119117 BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]
  70887 BIND 9.2.0rc7 -- 9.2.2-P3 [recursion enabled]
  30680 NSD 1.2.3
  21323 Microsoft Windows 2000
  19961 BIND 8.3.0-RC1 -- 8.4.4 [recursion enabled]
  19436 TinyDNS 1.05
  19347 Microsoft Windows 2003
  10453 BIND 9.2.0rc7 -- 9.2.2-P3
   6050 BIND 8.3.0-RC1 -- 8.4.4
   5788 q0tq0tq7tq6r?query timed out
   5056 PowerDNS 2.9.4 -- 2.9.11
   4828 BIND 8.3.0-RC1 -- 8.4.4 [recursion local]
   3225 MyDNS
   2659 PowerDNS 2.8 -- 2.9.3
   2198 BIND 8.1-REL -- 8.2.1-T4B [recursion enabled]
   2176 BIND 8.2.2-P3 -- 8.3.0-T2A [recursion enabled]
   2020 BIND 9.1.0 -- 9.1.3 [recursion enabled]
   1657 BIND 8.2.2-P3 -- 8.3.0-T2A

We will issue warnings to local community (IX, registrars) in near
future...

Ondrej.
-- 
 Ondřej Surý
 technický ředitel/Chief Technical Officer
 -----------------------------------------
 CZ.NIC, z.s.p.o.  --  .cz domain registry
 Lužná 591, 160 00 Praha 6, Czech Republic
 mailto:ondrej.sury at nic.cz  http://nic.cz/
 tel:+420 222 745 110 fax:+420 220 121 184
 -----------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5888 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060327/1d029dde/attachment.bin>

More information about the dns-operations mailing list