[dns-operations] Amplification attack today ?

Peter Dambier peter at peter-dambier.de
Mon Mar 5 22:57:15 UTC 2007 

Pete Ehlke wrote:
> On Mon Mar 05, 2007 at 12:58:24 +0100, Peter Dambier wrote:
> 
>>At the pirates party and especialy at ARL (A)ssociation des (R)acines (L)ibres
>>we are testing an /etc/named.conf that works without rootservers. We need no
>>root-servers.net and no alternatives.
>>
>>named.conf looks something like
>>
>>...
>>
>>zone "de" {
>>type stub;
>>file "stub/de";
>>masters { 193.0.7.3; 194.246.96.1; 208.48.81.43; 194.246.96.1; 81.91.164.5 };
>>};
>>
>>zone "pirates" {
>>type stub;
>>file "stub/pirates";
>>masters { 88.198.56.107; 205.189.71.34; };
>>};
>>
>>zone "ewe" {
>>type stub;
>>file "stub/ewe";
>>masters { 71.132.98.41; 64.62.206.88; 64.62.206.91; };
>>};
>>
>>...
>>
>>The file can be send monthly on cdrom or
>>weekly via email.
>>
> 
> And the difference between distributing this and distributing hosts.txt
> is exactly what? 
> 
> And my reasons to trust you not to
> 
> zone "bankofamerica.com" {
>   type stub;
>   file "stub/bofa.com";
>   masters {71.132.98.41;};
> }
> 
> are exactly what?
> 
> Or should I read your .conf every time it comes out and decide what
> delegations I personally agree with?

It is a bind config-file that queries the authoritative TLD servers
directly without going through the root-servers, just in case you
are blackholed or the root-servers are attacked again.

Hosts.txt is not for dns. This file is.

The file is not edited but results from the answer for

e.g.

; <<>> DiG 9.4.0b4 <<>> -t any um @flag.ep.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17719
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;um.                            IN      ANY

;; ANSWER SECTION:
um.                     86400   IN      SOA     flag.ep.net.um. hostmaster.ep.net.um. 2006120106 43200 3600 1209600 86400
um.                     86400   IN      NS      ns.isi.edu.
um.                     86400   IN      NS      flag.ep.net.
um.                     86400   IN      NS      venera.isi.edu.

;; ADDITIONAL SECTION:
flag.ep.net.            86400   IN      A       198.32.4.13
flag.ep.net.            86400   IN      AAAA    3ffe:805::2d0:b7ff:fee8:c4d9
flag.ep.net.            86400   IN      AAAA    2001:478:6:0:2d0:b7ff:fee8:c4d9

;; Query time: 209 msec
;; SERVER: 198.32.4.13#53(198.32.4.13)
;; WHEN: Mon Mar  5 23:06:35 2007
;; MSG SIZE  rcvd: 221


Compare this to what the root-servers say

; <<>> DiG 9.4.0b4 <<>> -t any um @a.root-servers.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53351
;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;um.                            IN      ANY

;; ANSWER SECTION:
um.                     172800  IN      NS      NS.ISI.EDU.
um.                     172800  IN      NS      VENERA.ISI.EDU.
um.                     172800  IN      NS      NS.UU.NET.

;; AUTHORITY SECTION:
um.                     172800  IN      NS      NS.ISI.EDU.
um.                     172800  IN      NS      VENERA.ISI.EDU.
um.                     172800  IN      NS      NS.UU.NET.

;; ADDITIONAL SECTION:
NS.ISI.EDU.             172800  IN      A       128.9.128.127
VENERA.ISI.EDU.         172800  IN      A       128.9.176.32
NS.UU.NET.              172800  IN      A       137.39.1.3

;; Query time: 151 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Mar  5 23:05:53 2007
;; MSG SIZE  rcvd: 178


And have a look at the answering - or not answering nameservers

SOA records

soa("um","2006120106","FLAG.EP.NET","198.32.4.13").
error("um","VENERA.ISI.EDU","128.9.176.32","no response").
soa("um","2006120106","NS.ISI.EDU","128.9.128.127").
error("um","NS.UU.NET","137.39.1.3","no soa").


This data is provided by a group of users who decide what
they want to see - not what they want censored.

If you want US or SU censored then get the file and edit.

If you look at some nameservers then chance is good you
need to edit only once every two or three years. How old
is UM? And they still did not fix it.

On the other hand who needs MOBI, TEL, AERO or IQ, DE, SU?
For most people a singe domain COM is enough.

The others can use a file like

http://www.afrac.org/dnsi.htm
http://intlnet.org/eintl.htm

To find where to look

Kind regards
Peter and Karin

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher-Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/

More information about the dns-operations mailing list