[Sysadmins] Eircom DNS woes...

ajh ajh at devfoo.net
Tue Jul 14 18:30:25 IST 2009


2009/7/14 FRLinux <frlinux at gmail.com>:
> On Tue, Jul 14, 2009 at 10:09 AM, Justin Mason<jm at jmason.org> wrote:
>>> I queried a few of the nameservers last night, and true enough - I was
>>> getting timeouts and no answers, but I didn't manage to observe any
>>> spoofing or false answers.
>>
>> were you querying from Eircom's dynamic address pool?  (I couldn't access the
>> 2 customer-facing recursive resolvers from outside.)
>
> http://www.theregister.co.uk/2009/07/14/eirocm_downtime_again/

Their old ns1.tinet.ie on 159.134.237.6 is still there and doing
recursive lookups from non Eircom IPs. Although the name ns1.tinet.ie
doesn't resolve anymore). But a quick Google shows customers have
started moving away from using this server in Nov 2005. If this is the
one being DoS'ed then it must be a limited few who can resolve (*har*
*har* little DNS humour) their issue by using the new blessed DNS
servers as per Eircom documentation.

I am pretty sure 213.94.190.194 and 213.94.190.236 (the recursive
lookups) facing Eircom customers and handed out by RADIUS didn't allow
lookups from non-Eircom IPs before. So, if these are the servers being
DoS'ed with 8 million requests every 5 minutes then this attack must
be coming from inside the Eircom IP space so should be traceable.

The final Eircom DNS servers are the auth* ones but these are
authoritative only and any DoS against these would affect everyone
trying to connect to Eircom hosted sites and DSL users going to other
sites would be unaffected.

I haven't followed the story except for the link above as I am not an
Eircom user and don't use Eircom servers for resolving so this doesn't
affect me so maybe there is something I am missing but this story does
not on the face of it compute.



More information about the Sysadmins mailing list