According to ISPrime, 66.230.128.15 and 66.230.160.1 are authoritative DNS servers, but do not make outbound requests. As such, they only *receive* queries from remote DNS servers (or clients). So all UDP or TCP-based DNS requests to those two DNS servers are made *to* port 53. And those two DNS servers respond to those requests on port 53. The spoofers are sourcing their queries from non-port 53 ports, so it's easy to tell what is spoofed and what's not.
Frank -----Original Message----- From: Scott Haneda [mailto:talkli...@newgeo.com] Sent: Tuesday, January 20, 2009 6:12 PM To: frnk...@iname.com Cc: BIND Users Mailing List Subject: Re: denied NS/IN On Jan 20, 2009, at 3:52 PM, Frank Bulk wrote: > That's being discussed on NANOG, here's one thread: > http://markmail.org/message/ydiqnztzmz5qmusf > > See here for more details in blocking them: > http://www.cymru.com/Documents/secure-bind-template.html > specifically: > > blackhole { > // Deny anything from the bogon networks as > // detailed in the "bogon" ACL. > bogon; > }; > > Note that isprime is suggesting an ACL on your firewall or router. Thank you, curious, why does it say block all but 53, isnt that exactly what we want to block? -- Scott _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users