Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

Sorry for the late reply, but I'm the one who builds the root zone which includes the EmerDNS info.  To begin, here is the information we are putting in our root zone:

bazar.          3600    IN      NS      seed1.emercoin.com.
bazar.          3600    IN      NS      seed2.emercoin.com.
coin.           3600    IN      NS      seed1.emercoin.com.
coin.           3600    IN      NS      seed2.emercoin.com.
emc.            3600    IN      NS      seed1.emercoin.com.
emc.            3600    IN      NS      seed2.emercoin.com.
lib.            3600    IN      NS      seed1.emercoin.com.
lib.            3600    IN      NS      seed2.emercoin.com.

Obviously that provides global access to users as well as bots.  Over the years we've developed some methods of dealing with bots, but nothing is perfect.

One method would be to share your zone file with a few known opennic T1 servers, who could then make the information available to everyone using opennic.  This would halt the load on your DNS servers, but bots would still be able to reach your domains.

We do have an ACL file available that lists the public T1 and T2 servers (and you can also parse this info from dig commands), however any queries for an EmerDNS domain would still be passed along to your servers with the original requestor's IP address intact, so you would effectively be filtering everyone.

We also implement whitelisting, where users have to register their IP address in order to make use of some of the T2 servers.  This information is also available through the ACL file and may be the best option here, but it means that anyone wanting to use EmerDNS domains would be required to register their IP, and a lot of security-conscious folks are reluctant to do that.

I think that about covers what we have to work with, but let me know if you have any further questions.

On 01/04/2019 02:53 PM, Oleg Khovayko wrote:

Hello,

I represent EmerDNS, we have successful peering with OpenNIC for years. Currently, our sites {seed1,seed2}.emercoin.com provide to the OpenNIC dns answers to support this peering. Unfortunately, I see many request from the world directly to our seeds from many IPs, other tahn OpenNIC. I assume, some botnets using them.

I would like add firewall rules to our DNS gateways, just to restrict access to your Tier1+Tier2 servers only. With this solution, we'll provide DNS-answers to OpenNIC only. Of course, we already created this "whitelist" manually, just from your WEB-pages: https://servers.opennicproject.org

I have question: Is there exist way to download this list from script as text file, just to use in automatic system to auto-setup firewall rules?


Thanks in advance,

Oleg

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org