On Fri, May 29, 2015 at 09:08:04AM +1000, Neil wrote: > Hi Bind users, > > Just wondering if anyone else has seen the DNS nonsense name attacks on > their recursives? > Any way to mitigate such attacks? > > Currently running version 9.10, I already ACL's and have RPZ deployed but > this is a "reactive" solution. I read that fetches-per-server and > fetches-per-zone have been deployed to subscription releases, any time > line for code to be released in the public version? Anything else I can > do?
The "fetches-per-X" features will be in 9.10.3 and 9.9.8, due out in a couple of months. (There'll probably be a compile-time option to turn them on, since it's new functionality and we usually only put that into 9.X.0 releases.) Sooner than that, probably within a few weeks, it'll be pushed to our public git repository on source.isc.org. There are some tweaks to the code that are still pending internal review. If you like, and if you promise to provide feedback, I'll give it to you even before that. In the meantime, you could temporarily create empty local zones for wwwww.jiajiaxhhq.com and any other domains that appear to be under attack. This would cause all queries to return NXDOMAIN. (It means your clients can't resolve those domains, but there's a pretty fair chance they wouldn't be able to anyway because DoS attack, and at least it reduces the collateral damage the attack is doing to your resolver.) You could also try blacklisting the clients from which the queries are coming; they're probably infected with malware. RPZ is also effective for this. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
