On 28. 03. 23 14:30, Matus UHLAR - fantomas wrote:
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means that only clients with those IP addresses can query
your server for non-local information.
So, your server should NOT be part of Amplification attack.
That would indeed suggest that the attack is coming from inside,
assuming the source IP address really is what it pretends to be (i.e.,
packets are indeed coming from your internal network and do not have
spoofed source IP).
Once you have confirmation the only thing left is to determine
infected/misbehaving client machines and clean it up locally.
Hopefully it helps a bit to narrow the area you have to search.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users