lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: fulld-nospam at braingia.org (Steve)
Subject: Question for DNS pros

On Sat, Jul 24, 2004 at 12:58:42AM -0500, Paul Schmehl wrote:
> i think your isp should have this info
> 
>> Umm..did you look at my address?  We own a class B.  We don't have an 
>> ISP.

Agreed.  Even if you did have an ISP, I don't see any reason why they 
would have this information.

> Not if the "other" DNS server is working.  You're required to register two 
> nameservers; a primary and a secondary.  You only need one to answer 
> queries.  If a guy registered a domain and used *his* box for the primary 
> and just grabbed a random IP to register as a "secondary", why would he 
> care of the secondary didn't work?

A solution or, well, a possible way to make the problem solve itself, is
to start answering queries for the domain that's pointing to you, except
answer them incorrectly.  Another poster had pointed out that you could
answer the queries by pointing to 127.0.0.1 and that might be a
solution.  The person who registered the domain pointing to your address
may eventually get sick of having some queries answered incorrectly for
their domain and switch it.

It may also be a violation of a registrar's terms of service to point to
DNS servers that aren't actually authoritative for the zone but I
wouldn't count on this actually paying dividends.  When we had the same
problem a number of years ago, the registrar (verisign) said that we
needed to take it up with the domain owner.  It didn't matter that we
explained that the domain owner was unresponsive.  These policies may 
have changed since I last tried but I wouldn't count on it.

I would first try to contact the domain owner to see if they pointed to 
the IP by mistake and politely ask them to change it.  If they didn't 
respond, I might contact them again telling them that I'm about to start 
answering queries for that domain with whatever I wanted.  If, after 
those attempts nothing changed, I would implement the DNS server on the 
IP in question and start answering for it.

> You're misunderstanding the problem.  The problem is, we want to make sure 
> our IPs aren't being used by someone else, even inadvertantly.

I don't believe that you're ever going to be completely successful in
this.  It's like saying that you never want someone to sign up for a
mailing list with your physical (real-world) address.  You can't control
someone using your physical address and having their mail sent there. 
You can, however, prevent them from retrieving their mail by getting to
your mailbox first.  :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ