Le 13/04/2021 à 07:12, Ondřej Surý a écrit :
BIND 9.11 has minimal-any option that’s helpful to reduce the attack
impact: https://www.isc.org/blogs/bind-release-911/
<https://www.isc.org/blogs/bind-release-911/>
RRL should also help to limit the responses:
https://kb.isc.org/docs/aa-01000 <https://kb.isc.org/docs/aa-01000>
Usually the source IP is spoofed, so blocking it might be causing
collateral damage in case the target of the attack is a resolver, but
again in general case fail2ban that parses named log files might be a
good option to add a temporary ban on the ip. Just bear in mind you
are not blocking the attacker, but the victim.
I also have a lot of these (sl) queries in my logs.
Would it not be possible to have an option to tell bind to refrain from
answering to all unauthorized queries over UDP?
Is there really a usefulness to reply with code 5, instead of silently
ignoring the request?
A built-in option would be much easier than to require every server to
have a dedicated fancy firewall rule.
But I have no idea how much work it would be to add this feature in bind.
Cheers,
Julien
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
