Strange Extremeware behaviour

I was just reading Massive DDoS attack against anti-spam provider impacts millions of internet users and ended up at the Open Resolver project. Typing in a few IP address ranges I’m involved with, I noticed that there were some odd DNS servers. A few minutes of investigation shows that actually, an ancient Extreme BlackDiamond we have, running Extremeware (since replaced with ExtremeXOS in current kit), will answer DNS queries! It forwards them on to the DNS servers it knows about, using it’s own IP address on that network, effectively NATing DNS traffic from anywhere in the world.

That’s a Bad Thing. What’s more, I can’t find any mention of this behaviour in the manuals. The fix is simply to remove it’s dns-client configuration (which is supposed to be used for locally originated connections like telnet from the console) – it can’t forward requests if it doesn’t know any DNS servers, right?

configure dns-client delete x.x.x.x

at which point it stops accepting connections for DNS. But this is still somewhat alarming, especially for undocumented behaviour (so there’s no missing ACL or anything, or feature turned on, it’s just quietly been doing this).

Leave a Comment

Filed under Network, Tech

Begin again, Finnegan…

So it’s been about ten years since the last post on lesser-evil.com – and I’ve decided I might try and write things here again, partly just to try out a new web hosting outfit. Let’s see how that works out, this time. Everything from 2003 and before got dumped off to archive.lesser-evil.com – it’s mostly nonsense, frankly, so I wouldn’t bother.

Leave a Comment

Filed under Journal