dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2403

USAccess
Premium Member
join:2013-09-08
Oshawa, ON

USAccess to MrToady

Premium Member

to MrToady

Re: USAccess DNS - Rogers (affecting 3rd-party Cable ISPs) blocking our DNS

said by MrToady:

Not all competitors =).....here is a little snippet for you from my bind config:

view "Redirect" {
match-clients { any; };
recursion no;

With all due respect MrToady, it looks like you just started things up last week. I had no idea of your existence until you replied to this thread.

Either way, I would like to try and not derail this thread as it has already been taken off topic enough (myself included in that)

openvz_ca
join:2008-12-13
canada

openvz_ca to USAccess

Member

to USAccess
said by USAccess:

what happens when a dynamic IP updates, the user loses all internet connectivity (assuming most users don't know the IP address of every website they with to visit)?

Just because your competitors use open recursion, doesn't mean it's something you absolutely must do as well. As others (and myself) have stated, open recursive DNS servers are tricky to manage. Even when you rate limit, you can get very high amplification factors if you know what you're doing and create much more traffic than what you send.

Part of your business is making it easy for users to update their IP stored in your database so they can always access your service (such as with a mobile app or short URL).

I meant restricting access to your DNS server for queries (by paying customers), not forcing the user to remember the IP address of the website they want to visit.

If you aren't IP restricting, then how do you enforce people to pay for service? If anyone can openly query your DNS server then they don't need to pay? Unless you're giving different results based on the source IP and whether it's in your billing database or not.
said by USAccess:

Our servers (on the production side) are rate-limited, and we also subscribe to DNS iptables lists like »github.com/smurfmonitor/ ··· es-rules

the rules you reference in the github repo link are of no use. Majority of people who exploit open/recursive DNS servers do so with spoofed source IP's. This attack vector does not allow for much other value if you can't spoof the IP of your intended victim (unless you want to just play around and create traffic to many destinations for no apparent reason). Most intended victims are not exploiters, therefore they will never be on a common publicly available list of malicious activity.
said by USAccess:

I understand you would like to contribute to dialog on this matter, but your information here is just blatantly wrong. You can openly recurse on all of our competitors.

I'm contributing dialog to the issue you asked the community about in your opening post. You are asking why some ISP's are blocking traffic to your services, there's no other explanation other than for malicious activity. ISP's need to go out of their way to block traffic, so there needs to be a reason more than one did this. How you can claim any of the information I've contributed is "blatantly wrong" is nonsense. Do some traffic sampling on your interfaces, Run wireshark on your sample, and you will quickly be able to find malicious network activity to your server, its almost a guarantee with an open DNS server.

USAccess
Premium Member
join:2013-09-08
Oshawa, ON

USAccess

Premium Member

I understand what you are saying.

The bottom line of it, which you have touched on above, is that you do not know how our system works and thus, the possible fixes you have suggested aren't really plausible.

If we kill recursion completely on the system we have in place, customers would not even be able to call a shorturl to update their IP address (it wouldn't resolve...)

We do actively packet capture on our network to monitor traffic (tcpdump) and apply new rules at times to twart attacks. Those iptables rules are the furthest thing from "of no use". You may need to read into them and how they work, as it as nothing to do with source IPs.

sm5w2
Premium Member
join:2004-10-13
St Thomas, ON

sm5w2 to USAccess

Premium Member

to USAccess
How is using 107.20.195.51 different from, say, using 4.2.2.2 ?