• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Zone failed validation test. Wildcarding has been disabled due to abuse.

Started by CrunkBass, September 08, 2011, 04:20:11 PM

Previous topic - Next topic

CrunkBass

I am using the free DNS service from HE with the domain crunkbass.net and can't set a wildcard.

The nameservers are set correctly but i could only add 4 NS entrys at my domain registrar.
root@Vmware-Debian:~# dig crunkbass.net NS

; <<>> DiG 9.7.3 <<>> crunkbass.net NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43446
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;crunkbass.net.                 IN      NS

;; ANSWER SECTION:
crunkbass.net.          86378   IN      NS      ns1.he.net.
crunkbass.net.          86378   IN      NS      ns3.he.net.
crunkbass.net.          86378   IN      NS      ns2.he.net.
crunkbass.net.          86378   IN      NS      ns4.he.net.

;; ADDITIONAL SECTION:
ns3.he.net.             86378   IN      A       216.218.132.2
ns4.he.net.             86378   IN      A       216.66.1.2
ns2.he.net.             86378   IN      A       216.218.131.2
ns1.he.net.             86378   IN      A       216.218.130.2

;; Query time: 23 msec
;; SERVER: 192.168.158.1#53(192.168.158.1)
;; WHEN: Fri Sep  9 01:23:03 2011
;; MSG SIZE  rcvd: 170


Does anyone know what could be the problem?

broquea

Were you...trying to create a wildcard entry? I think the reporting error sums it up if you were.
Wildcarding has been disabled due to abuse.
Not you specifically, this is a global setting. :D

CrunkBass

Thank you for your answer. Are there any plans to enabled wildcarding again or do i have to use an other dns service?

broquea


ionvz

I wonder what kind of abuse they speak of? It's rather disappointing though when it comes to dynamic applications to not have wildcard DNS available (and I'd prefer not to go back to using something like namecheap's DNS etc).

chaz6



mralexgray

Managing zone: XXXXXX.com.  Zone failed validation test.
Wildcarding has been disabled due to abuse.


My note to support:

QuoteIs this error specific to my account - or is this a site-wide change (as is being reported in the forums)?

Is this feature going to be re-enabled? Is it up for discussion?  Was it going to be mentioned?

I hope so...  I would consider wildcards - an "essential feature".

Seems a less drastic a solution would be to simply disable it for those who are abusing it, no?


Maybe dnsadmin@he.net can post a sticky or something - that explains this policy shift, more clearly?   ???


jschv6

Hi,
I just noticed, that it is no longer possible to add wildcard domains.
I found them very handy, because I want people to see a custom error page when mistyping a part of the domain.
Also I have several services behind my home-IP. This IP changes sometimes and with a wildcard subdomain I only have to set the new IP at two places (IPv6 Tunnel Endpoint and Wildcard Subdomain A entry).

I can understand that HE has to disable features that are commonly abused on their free service, but I would be very happy if there would be some way to enable this again.
Maybe only for Sages like the IRC connections at the tunnel.
Are there any plans for this?

I am not going to abuse that, at least not willingly, because I can not even imagine how to abuse wildcard subdomains Huh
Maybe someone can enlighten me, just out of curiosity (only if it is not tempting people to do it)
You even know my address, because you kindly sent me a free t-shirt, so if I ever abuse a wildcard subdomain you can send a SWAT team to get me Wink

DAR2133576

Quote from: jschv6 on March 03, 2012, 06:27:57 AM
Hi,
I just noticed, that it is no longer possible to add wildcard domains.
I found them very handy, because I want people to see a custom error page when mistyping a part of the domain.
Also I have several services behind my home-IP. This IP changes sometimes and with a wildcard subdomain I only have to set the new IP at two places (IPv6 Tunnel Endpoint and Wildcard Subdomain A entry).

I can understand that HE has to disable features that are commonly abused on their free service, but I would be very happy if there would be some way to enable this again.
Maybe only for Sages like the IRC connections at the tunnel.
Are there any plans for this?

I am not going to abuse that, at least not willingly, because I can not even imagine how to abuse wildcard subdomains Huh
Maybe someone can enlighten me, just out of curiosity (only if it is not tempting people to do it)
You even know my address, because you kindly sent me a free t-shirt, so if I ever abuse a wildcard subdomain you can send a SWAT team to get me Wink

Since their used to redirect nonexistent DNS Records it can be used in whats called Session fixation exploiting. Wildcard cookies can be set by one subdomain that will effect other subdomains. Their is also DNS hijacks and scripting exploits which can be used with that feature. This is why I doubt you would be able to get use of wildcards unfortunately because there will always be evil people who use features to harm others.

jschv6

Quote from: DAR2133576 on April 17, 2012, 01:36:51 AM
Since their used to redirect nonexistent DNS Records it can be used in whats called Session fixation exploiting. Wildcard cookies can be set by one subdomain that will effect other subdomains. Their is also DNS hijacks and scripting exploits which can be used with that feature. This is why I doubt you would be able to get use of wildcards unfortunately because there will always be evil people who use features to harm others.
Thanks for the answer! I don't really understand how this can be used if I "own" tho whole second level domain, but I will try and google a bit more with that keywords.
Sad, that some people abusing this take a usefull feature away from all people :(

ionvz

I know this is a necro bump. But... others may see it from google searches. 

Quote from: jschv6 on May 21, 2012, 04:04:48 AM
Thanks for the answer! I don't really understand how this can be used if I "own" tho whole second level domain, but I will try and google a bit more with that keywords.

Don't think the abuse in question is much about people attacking someone else's domains, but rather people using their own domains with the intent of abuse. For example phishing scams could dynamically respond to hundreds of different possible aliases, with a legit looking domain in the front of the alias.

Quote from: jschv6 on May 21, 2012, 04:04:48 AM
Sad, that some people abusing this take a usefull feature away from all people :(

They didn't remove the feature, they just put the feature into the hands of the DNS admins, which you'll need to email  dnsadmin@he.net in order to request it's addition or modification.