Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Zone failed validation test. Wildcarding has been disabled due to abuse.  (Read 22067 times)

CrunkBass

  • Newbie
  • *
  • Posts: 7

I am using the free DNS service from HE with the domain crunkbass.net and can't set a wildcard.

The nameservers are set correctly but i could only add 4 NS entrys at my domain registrar.
Code: [Select]
root@Vmware-Debian:~# dig crunkbass.net NS

; <<>> DiG 9.7.3 <<>> crunkbass.net NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43446
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;crunkbass.net.                 IN      NS

;; ANSWER SECTION:
crunkbass.net.          86378   IN      NS      ns1.he.net.
crunkbass.net.          86378   IN      NS      ns3.he.net.
crunkbass.net.          86378   IN      NS      ns2.he.net.
crunkbass.net.          86378   IN      NS      ns4.he.net.

;; ADDITIONAL SECTION:
ns3.he.net.             86378   IN      A       216.218.132.2
ns4.he.net.             86378   IN      A       216.66.1.2
ns2.he.net.             86378   IN      A       216.218.131.2
ns1.he.net.             86378   IN      A       216.218.130.2

;; Query time: 23 msec
;; SERVER: 192.168.158.1#53(192.168.158.1)
;; WHEN: Fri Sep  9 01:23:03 2011
;; MSG SIZE  rcvd: 170

Does anyone know what could be the problem?
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1705
Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
« Reply #1 on: September 08, 2011, 05:28:57 PM »

Were you...trying to create a wildcard entry? I think the reporting error sums it up if you were.
Wildcarding has been disabled due to abuse.
Not you specifically, this is a global setting. :D
« Last Edit: September 08, 2011, 05:38:42 PM by broquea »
Logged

CrunkBass

  • Newbie
  • *
  • Posts: 7
Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
« Reply #2 on: September 09, 2011, 06:00:27 AM »

Thank you for your answer. Are there any plans to enabled wildcarding again or do i have to use an other dns service?
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1705
Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
« Reply #3 on: September 09, 2011, 06:04:23 AM »

You would need to email dnsadmin@he.net for that answer.
Logged

ionvz

  • Newbie
  • *
  • Posts: 3
Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
« Reply #4 on: October 30, 2011, 11:39:48 PM »

I wonder what kind of abuse they speak of? It's rather disappointing though when it comes to dynamic applications to not have wildcard DNS available (and I'd prefer not to go back to using something like namecheap's DNS etc).
Logged

chaz6

  • Newbie
  • *
  • Posts: 12
Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
« Reply #5 on: October 31, 2011, 01:50:12 AM »

Is wildcarding still available to paying customers?
Logged

jrocha

  • Network Architect
  • Jr. Member
  • **
  • Posts: 66
Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
« Reply #6 on: November 03, 2011, 03:56:09 PM »

You will have to email dnsadmin@he.net.
Logged

mralexgray

  • Newbie
  • *
  • Posts: 5
Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
« Reply #7 on: November 12, 2011, 01:07:09 AM »

Managing zone: XXXXXX.com.  Zone failed validation test.
Wildcarding has been disabled due to abuse.


My note to support:

Quote
Is this error specific to my account - or is this a site-wide change (as is being reported in the forums)?

Is this feature going to be re-enabled? Is it up for discussion?  Was it going to be mentioned?

I hope so…  I would consider wildcards - an "essential feature".

Seems a less drastic a solution would be to simply disable it for those who are abusing it, no?


Maybe dnsadmin@he.net can post a sticky or something - that explains this policy shift, more clearly?   ???

Logged

jschv6

  • Newbie
  • *
  • Posts: 7

Hi,
I just noticed, that it is no longer possible to add wildcard domains.
I found them very handy, because I want people to see a custom error page when mistyping a part of the domain.
Also I have several services behind my home-IP. This IP changes sometimes and with a wildcard subdomain I only have to set the new IP at two places (IPv6 Tunnel Endpoint and Wildcard Subdomain A entry).

I can understand that HE has to disable features that are commonly abused on their free service, but I would be very happy if there would be some way to enable this again.
Maybe only for Sages like the IRC connections at the tunnel.
Are there any plans for this?

I am not going to abuse that, at least not willingly, because I can not even imagine how to abuse wildcard subdomains Huh
Maybe someone can enlighten me, just out of curiosity (only if it is not tempting people to do it)
You even know my address, because you kindly sent me a free t-shirt, so if I ever abuse a wildcard subdomain you can send a SWAT team to get me Wink
Logged

DAR2133576

  • readonly_member
  • Newbie
  • *
  • Posts: 3
    • CNA Training

Hi,
I just noticed, that it is no longer possible to add wildcard domains.
I found them very handy, because I want people to see a custom error page when mistyping a part of the domain.
Also I have several services behind my home-IP. This IP changes sometimes and with a wildcard subdomain I only have to set the new IP at two places (IPv6 Tunnel Endpoint and Wildcard Subdomain A entry).

I can understand that HE has to disable features that are commonly abused on their free service, but I would be very happy if there would be some way to enable this again.
Maybe only for Sages like the IRC connections at the tunnel.
Are there any plans for this?

I am not going to abuse that, at least not willingly, because I can not even imagine how to abuse wildcard subdomains Huh
Maybe someone can enlighten me, just out of curiosity (only if it is not tempting people to do it)
You even know my address, because you kindly sent me a free t-shirt, so if I ever abuse a wildcard subdomain you can send a SWAT team to get me Wink

Since their used to redirect nonexistent DNS Records it can be used in whats called Session fixation exploiting. Wildcard cookies can be set by one subdomain that will effect other subdomains. Their is also DNS hijacks and scripting exploits which can be used with that feature. This is why I doubt you would be able to get use of wildcards unfortunately because there will always be evil people who use features to harm others.
Logged

jschv6

  • Newbie
  • *
  • Posts: 7

Since their used to redirect nonexistent DNS Records it can be used in whats called Session fixation exploiting. Wildcard cookies can be set by one subdomain that will effect other subdomains. Their is also DNS hijacks and scripting exploits which can be used with that feature. This is why I doubt you would be able to get use of wildcards unfortunately because there will always be evil people who use features to harm others.
Thanks for the answer! I don't really understand how this can be used if I "own" tho whole second level domain, but I will try and google a bit more with that keywords.
Sad, that some people abusing this take a usefull feature away from all people :(
Logged

ionvz

  • Newbie
  • *
  • Posts: 3

I know this is a necro bump. But... others may see it from google searches. 

Thanks for the answer! I don't really understand how this can be used if I "own" tho whole second level domain, but I will try and google a bit more with that keywords.

Don't think the abuse in question is much about people attacking someone else's domains, but rather people using their own domains with the intent of abuse. For example phishing scams could dynamically respond to hundreds of different possible aliases, with a legit looking domain in the front of the alias.

Sad, that some people abusing this take a usefull feature away from all people :(

They didn't remove the feature, they just put the feature into the hands of the DNS admins, which you'll need to email  dnsadmin@he.net in order to request it's addition or modification.
Logged