On 17.12.20 14:35, Andrew P. wrote:
I was curious about one of the features in BIND. Per the Best Practices,
my on-site primary nameserver for my public domains (the secondaries being
with a large public DNS provider) is configured to only allow queries from
within my LAN and transfers in the LAN and to the designated servers at
the DNS provider, and the zones don't actually list the primary in NS
records (only in the SOA record). So I'm seeing large numbers of bursts
of denied errors like this:
client @0x6e702710 73.61.186.10#21509 (.): query (cache) './ANY/IN' denied
I'll get maybe 20 in a row in under 2 seconds from one IP address, then a time
gap, then a similar burst supposedly from a different IP address.
So, my questions are:
1. Are these attacks?
yes, and they are very common on the internet.
2. Does BIND actually send a reject message back, or is it silent in such
denial cases (as in, not still attacking with smaller packets the victim
of a DNS amplication attack)?
usually, yes. Those responses are small (I measured 74B now) and you can
limit there using responses-per-second or errors-per-second.
if you don't provide any servce (domain) to a public, you can filter DNS
requests from the internet.
I can't figure it out from reading the source code; I haven't so far been
able to trace back from where the messages are logged to where (if any) a
response packet would be transmitted.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
