On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote:
> Hello
> I just call to one of the client who do this DDoS and he confirm, he use UBI
> devices....
> Anyone know how to block all AAAA query like this: "query 331.206.372.214 IN
> AAAA" with random AAA.XXX.YYY.ZZZ address?
Marek, I don't know if BIND does this natively, but the following dnsdist
statement implements this:
addAction(RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$"),
DropAction())
If you want you could also do:
addAction(AndRule{QTypeRule(pdns.AAAA),
RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$")}, DropAction())
Which limits it to AAAA.
The only other things you need to do are setACL() so dnsdist allows access
to the right IP addresses and newServer("192.168.1.2") to set the IP address
of your actual BIND server.
This would also get you a whole bunch of cool statistics on how well your
server is doing. For more on dnsdist, see http://dnsdist.org/
Bert
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
