[dns-operations] solutions for DDoS mitigation of DNS

Paul Vixie paul at redbarn.org
Fri Apr 3 02:06:13 UTC 2020


On Friday, 3 April 2020 01:18:46 UTC Tessa Plum wrote:
> ...
> 
> Not only for those private domain names, but zone data also includes the
> administrative structure of corp/group.

nothing in the dns is private. if you don't want something viewed, cataloged, 
indexed, searched, and used, then do not put that something into DNS at all.

> For example, Colleges and Departmnts, administration offices and their
> sub-domains and MX records were defined in this zone file.

attached please find a list of all NS-record owning domain names at or below 
berkeley.edu which have been witnessed at least once since january 1 2020. i 
produced it using the following command:

$ dnsdbq -r '\*.berkeley.edu/ns' -A 2020-01-01 -j | jq .rrname | uniq

you should be able to extrapolate from this that DNS keeps _no_ secrets, and 
if you wonder why not, the answer is that keeping secrets is contrary to the 
goal of DNS. DNS is a publication system, not a secrecy system.

-- 
Paul
-------------- next part --------------
"berkeley.edu."
"ce.berkeley.edu."
"cp.berkeley.edu."
"cs.berkeley.edu."
"dh.berkeley.edu."
"fs.berkeley.edu."
"ga.berkeley.edu."
"ih.berkeley.edu."
"is.berkeley.edu."
"ls.berkeley.edu."
"me.berkeley.edu."
"pi.berkeley.edu."
"rs.berkeley.edu."
"uc.berkeley.edu."
"v6.berkeley.edu."
"w3.berkeley.edu."
"2ol.berkeley.edu."
"_dmarc.2ol.berkeley.edu."
"_domainkey.2ol.berkeley.edu."
"aap.berkeley.edu."
"abc.berkeley.edu."
"api.berkeley.edu."
"are.berkeley.edu."
"bic.berkeley.edu."
"bjc.berkeley.edu."
"brc.berkeley.edu."
"bsp.berkeley.edu."
"cal.berkeley.edu."
"cbe.berkeley.edu."
"ced.berkeley.edu."
"chu.berkeley.edu."
"cnr.berkeley.edu."
"coe.berkeley.edu."
"dsp.berkeley.edu."
"dyn.berkeley.edu."
"ebi.berkeley.edu."
"ehs.berkeley.edu."
"erg.berkeley.edu."
"ets.berkeley.edu."
"fao.berkeley.edu."
"fxd.berkeley.edu."
"geo.berkeley.edu."
"ias.berkeley.edu."
"ica.berkeley.edu."
"igs.berkeley.edu."
"ihd.berkeley.edu."
"iir.berkeley.edu."
"ist.berkeley.edu."
"its.berkeley.edu."
"jlg.berkeley.edu."
"law.berkeley.edu."
"lhs.berkeley.edu."
"lib.berkeley.edu."
"mba.berkeley.edu."
"mcb.berkeley.edu."
"mfe.berkeley.edu."
"mri.berkeley.edu."
"mse.berkeley.edu."
"msp.berkeley.edu."
"mvz.berkeley.edu."
"nes.berkeley.edu."
"net.berkeley.edu."
"nuc.berkeley.edu."
"ocf.berkeley.edu."
"ohr.berkeley.edu."
"our.berkeley.edu."
"pmb.berkeley.edu."
"qb3.berkeley.edu."
"rac.berkeley.edu."
"sma.berkeley.edu."
"soc.berkeley.edu."
"soe.berkeley.edu."
"sph.berkeley.edu."
"spo.berkeley.edu."
"ssl.berkeley.edu."
"cse.ssl.berkeley.edu."
"local.ssl.berkeley.edu."
"tsc.berkeley.edu."
"ual.berkeley.edu."
"ucb.berkeley.edu."
"ucm.berkeley.edu."
"uga.berkeley.edu."
"uhs.berkeley.edu."
"vpn.berkeley.edu."
"xcf.berkeley.edu."
"1918.berkeley.edu."
"ist.1918.berkeley.edu."
"net.1918.berkeley.edu."
"haas.1918.berkeley.edu."
"calnet.1918.berkeley.edu."
"airbears2.1918.berkeley.edu."
"calvisitor.1918.berkeley.edu."
"2048.berkeley.edu."
"acuc.berkeley.edu."
"asuc.berkeley.edu."
"azul.berkeley.edu."
"bair.berkeley.edu."
"bear.berkeley.edu."
"bids.berkeley.edu."
"bioe.berkeley.edu."
"bnhm.berkeley.edu."
"brie.berkeley.edu."
"ceda.berkeley.edu."
"clas.berkeley.edu."
"clpr.berkeley.edu."
"cshe.berkeley.edu."
"csua.berkeley.edu."
"decf.berkeley.edu."
"dlab.berkeley.edu."
"econ.berkeley.edu."
"eecs.berkeley.edu."
"erso.berkeley.edu."
"espm.berkeley.edu."
"fhrp.berkeley.edu."
"geog.berkeley.edu."
"ggia.berkeley.edu."
"grad.berkeley.edu."
"gspp.berkeley.edu."
"haas.berkeley.edu."
"herb.berkeley.edu."
"icsi.berkeley.edu."
"notary.icsi.berkeley.edu."
"netalyzr.icsi.berkeley.edu."
"netalyser.icsi.berkeley.edu."
"netalyzer.icsi.berkeley.edu."
"ieor.berkeley.edu."
"ipsr.berkeley.edu."
"irle.berkeley.edu."
"iurd.berkeley.edu."
"kalx.berkeley.edu."
"lips.berkeley.edu."
"math.berkeley.edu."
"olac.berkeley.edu."
"path.berkeley.edu."
"peer.berkeley.edu."
"ppcs.berkeley.edu."
"rojo.berkeley.edu."
"rssp.berkeley.edu."
"sdsc.berkeley.edu."
"eis-github-prod-03.sdsc.berkeley.edu."
"sims.berkeley.edu."
"snap.berkeley.edu."
"sscl.berkeley.edu."
"stat.berkeley.edu."
"ucei.berkeley.edu."
"ucmp.berkeley.edu."
"udar.berkeley.edu."
"ugis.berkeley.edu."
"unex.berkeley.edu."
"urel.berkeley.edu."
"vcbf.berkeley.edu."
"vspa.berkeley.edu."
"astro.berkeley.edu."
"atmos.berkeley.edu."
"cchem.berkeley.edu."
"cnmat.berkeley.edu."
"cpsma.berkeley.edu."
"demog.berkeley.edu."
"gsppi.berkeley.edu."
"ipira.berkeley.edu."
"iucrp.berkeley.edu."
"media.berkeley.edu."
"neuro.berkeley.edu."
"psych.berkeley.edu."
"ucbso.berkeley.edu."
"voice.berkeley.edu."
"alumni.berkeley.edu."
"bampfa.berkeley.edu."
"bluext.berkeley.edu."
"calnet.berkeley.edu."
"calsol.berkeley.edu."
"campus.berkeley.edu."
"chance.berkeley.edu."
"citris.berkeley.edu."
"cspace.berkeley.edu."
"data8x.berkeley.edu."
"devlib.berkeley.edu."
"garden.berkeley.edu."
"github.berkeley.edu."
"humbio.berkeley.edu."
"physed.berkeley.edu."
"sccqb3.berkeley.edu."
"seismo.berkeley.edu."
"simons.berkeley.edu."
"socwel.berkeley.edu."
"summer.berkeley.edu."
"vision.berkeley.edu."
"y-plan.berkeley.edu."
"banatao.berkeley.edu."
"biostat.berkeley.edu."
"calband.berkeley.edu."
"calswec.berkeley.edu."
"datahub.berkeley.edu."
"ggkbase.berkeley.edu."
"history.berkeley.edu."
"housing.berkeley.edu."
"ischool.berkeley.edu."
"physics.berkeley.edu."
"polisci.berkeley.edu."
"rescomp.berkeley.edu."
"reshall.berkeley.edu."
"calperfs.berkeley.edu."
"classics.berkeley.edu."
"language.berkeley.edu."
"military.berkeley.edu."
"pantheon.berkeley.edu."
"redwoodx.berkeley.edu."
"security.berkeley.edu."
"townsend.berkeley.edu."
"uhs-thin.berkeley.edu."
"airbears2.berkeley.edu."
"ls-advise.berkeley.edu."
"sait-west.berkeley.edu."
"admissions.berkeley.edu."
"calnet-aws.berkeley.edu."
"calvisitor.berkeley.edu."
"chancellor.berkeley.edu."
"journalism.berkeley.edu."
"millennium.berkeley.edu."
"precollege.berkeley.edu."
"xcelerator.berkeley.edu."
"campus-test.berkeley.edu."
"datascience.berkeley.edu."
"sfmc.datascience.berkeley.edu."
"_dmarc.datascience.berkeley.edu."
"_domainkey.datascience.berkeley.edu."
"github-test.berkeley.edu."
"inr-304-sut.berkeley.edu."
"integration.berkeley.edu."
"linguistics.berkeley.edu."
"studyabroad.berkeley.edu."
"caltimeclock.berkeley.edu."
"globalhealth.berkeley.edu."
"hearstmuseum.berkeley.edu."
"inr-310-ewdc.berkeley.edu."
"inr-311-ewdc.berkeley.edu."
"techtransfer.berkeley.edu."
"ternercenter.berkeley.edu."
"cybersecurity.berkeley.edu."
"sfmc.cybersecurity.berkeley.edu."
"_dmarc.cybersecurity.berkeley.edu."
"_domainkey.cybersecurity.berkeley.edu."
"funginstitute.berkeley.edu."
"ischoolonline.berkeley.edu."
"inr-157-reccev.berkeley.edu."
"inr-350-reccev.berkeley.edu."
"calperformances.berkeley.edu."
"millerinstitute.berkeley.edu."
"digitalhumanities.berkeley.edu."
"inr-79-1608fourth.berkeley.edu."
"corporateinnovation.berkeley.edu."
"healthandwellnessalerts.berkeley.edu."


More information about the dns-operations mailing list