On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote: > Hello > I just call to one of the client who do this DDoS and he confirm, he use UBI > devices.... > Anyone know how to block all AAAA query like this: "query 331.206.372.214 IN > AAAA" with random AAA.XXX.YYY.ZZZ address?
Marek, I don't know if BIND does this natively, but the following dnsdist statement implements this: addAction(RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$"), DropAction()) If you want you could also do: addAction(AndRule{QTypeRule(pdns.AAAA), RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$")}, DropAction()) Which limits it to AAAA. The only other things you need to do are setACL() so dnsdist allows access to the right IP addresses and newServer("192.168.1.2") to set the IP address of your actual BIND server. This would also get you a whole bunch of cool statistics on how well your server is doing. For more on dnsdist, see http://dnsdist.org/ Bert _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users