Hello guys, I see, my server is authoritative for some internal domain, so I will try Allow-query. Thank you. But the attack is from my allowed IP addresses so I can't block the entire zone.
I tried NXDOMAINS-PER-SECOND but server is not giving nxdomain response but servfail. How about ERRORS-PER-SECOND: sets the limit of error (REFUSED,FORMERR or SERVFAIL)? BR, Nyamka ________________________________ From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Matus UHLAR - fantomas <uh...@fantomas.sk> Sent: Wednesday, March 29, 2023 3:24 PM To: bind-users@lists.isc.org <bind-users@lists.isc.org> Subject: Re: Bind dns amplification attack >On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote: >>Yes, this is one of the problem "authoritative zones for local use". On 28.03.23 12:18, Grant Taylor via bind-users wrote: >Authorizing the /zone/ for local use wasn't the problem. The problem >was that the world could get some of that zone's data from the query >cache even if they couldn't query the zone directly. when was this? querying cache is by default allowed for the same clients as recursion, perhaps unless it was old BIND version. >>The default root "hint" zone is only available for those who have >>recursion available. >I feel like the "root hint zone" is considerably different than "root >zone" proper. The fact that they have different zone types seems to >support that. yes. The content of hint zone is abused to generate aplification attack: Mar 26 16:03:53 fantomas named[1654]: client @0xe7379d50 195.88.25.138#59467 (.): query (cache) './ANY/IN' denied If you have local root zone, response is provided by default, it can be huge: % dig +noanswer +noadditional +nocomments +nocmd +noquestion -t any . @fantomas.fantomas.sk ;; Query time: 0 msec ;; SERVER: 195.80.174.185#53(195.80.174.185) ;; WHEN: Wed Mar 29 09:23:27 CEST 2023 ;; MSG SIZE rcvd: 2904 but default "type hint" root is treated as cache and REFUSED is sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fantomas.sk%2F&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ptkbassm4yqO9YHpwHvKL7XC%2B0X9l9tRmKyWcdsw6PM%3D&reserved=0 Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. -- Visit https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pGpLOzFdeNgqUHxCwPuiKUfPFTffOfcqcm6HQQEcuYg%3D&reserved=0 to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=abpXRElm5blZlXIcdRrRebQONm1d51pxuEcHCx4l2Po%3D&reserved=0 for more information. bind-users mailing list bind-users@lists.isc.org https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pGpLOzFdeNgqUHxCwPuiKUfPFTffOfcqcm6HQQEcuYg%3D&reserved=0 ???????? ?????? ????? ?????? ?? (????????????? ????) ?????? ?????? ?????????? ?????????, ?????? ???? ??? ????? ???????? ???????????? ?????. ?? ????? ??????? ??????????? ???????? ?? ??????? ?????????????, ????????? ???????? ?????? ?????? ??????????? ???????????? ???? ?????????? ? ??????? ????????????? ??? ?? ????????????? ??. ????? ?? ?? ????? ??????? ??????? ???????? ?????? ????? ??? ??? ?????? ????? ??????? ????????? ????? ????? ?????? ?????? ?????? ????????, ?????????? ????? ????? ????? ??????? ?????? ????????? ??? ????? ?????? ???? ??????? ???? ??. ???????? ?????? ???????? ??????????? ?????????? ?????? ????????? ?????????, ??????????, ?????? ?????? ????? ?? ??????????? ????????? ??????? ????? ?????? ????, ?? ?????? ????? ????? ??? ?????? ???????? ??. Disclaimer This email (including any attachments) is intended only to be read and used by the addressee. It may contain confidential or legally privileged information, which is not waived if it is mistakenly delivered to you. If you are not the intended recipient, please immediately notify the sender by return email and delete both messages from your system; any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
