On 28. 03. 23 14:30, Matus UHLAR - fantomas wrote:
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:

acl recclients {
       43.228.128.2/32;
       202.70.32.17/32;
       103.29.147.0/29;
       103.99.103.0/24;  }

allow-recursion { recclients; };

Great, this means that only clients with those IP addresses can query your server for non-local information.

So, your server should NOT be part of Amplification attack.

That would indeed suggest that the attack is coming from inside, assuming the source IP address really is what it pretends to be (i.e., packets are indeed coming from your internal network and do not have spoofed source IP).

Once you have confirmation the only thing left is to determine infected/misbehaving client machines and clean it up locally.

Hopefully it helps a bit to narrow the area you have to search.

--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to