RE: [Declude.JunkMail] OT: DNS attacks

[Kevin Bilbee]

Or Instead so splitting if you are running bind set acl security so your local addresses can do recursion and the public at large can only resolve locally hosted domains.   This type of setup allows our internal blocks to query the DNS with recursion and the allow-query in the options secition limits any zone file with out and allow-query to default to this security. The public zones have allow-query { any; }; which allows public access to these zones.   for example acl "zone1" { 12.9.25.240/28; }; acl "zone2" { 101.52.83.0/24; };   options {     directory "/winnt/system32/dns/etc";     allow-query { "zone1"; "zone2"; }; };   zone "." IN {     type hint;     file "root.cache.txt"; };   zone "0.0.127.in-addr.arpa." {     type master;     file "named.local.txt";     allow-query { any; }; };      zone "240/28.25.9.12.in-addr.arpa." {      type master;      file "240_28.25.9.12.in-addr.arpa.txt";      allow-query { any; }; };   zone "standardabrasives.com" in {      type master;      file "standardabrasives.com.txt";      allow-query { any; }; };   Kevin Bilbee -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Matt Sent: Thursday, August 18, 2005 12:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] OT: DNS attacks Agreed on the splitting idea.  Keep one DNS firewalled from the outside world and for use just by your clients and their address space, and then another one that only resolves what you host and is open to everyone.  If this requires investing in another box, it might make sense to just move your hosted stuff over to a DNS hosting service and then firewall the box that you already have. I would guess that someone has hard coded their spamware, or there is a compromised system out there that is pointed at your DNS servers that is using this for lookups and that is why the volume is so high. Matt Colbeck, Andrew wrote: Greg, this would be a good question to pose in the forums at Scott Perry's hobby hangout: http://www.dnsstuff.com/pages/forums.htm For my two cents, you probably want to identify the kind of DNS traffic that is coming in, not just who the high volume senders are, that might help you understand why this traffic is coming your way. I found it interesting that the subnet you cited is listed in SpamHaus as a known proxy hijacker, so this may be quite deliberate on their part. Your Cisco might be able to clamp the bandwidth based on netflows; I think you asked before about metering and reporting on netflows, so that might be an easy path for you. You mentioned that is a public DNS server for your clients; you might split your DNS serving into two servers, one that serves as the SOA for the client Whois records, and another that resolves DNS for your clients. The resolver could be firewalled to only allow inbound DNS requests from your subnets. Please report back on your findings, and keep it in this OT: thread. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of System Administrator Sent: Thursday, August 18, 2005 5:39 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: DNS attacks Any dns experts on the list? Last week I noticed our one dns server was running at 100% cpu and using nearly all its available memory. Reboot. Problem goes away until next day. Repeat, etc. I determined that an outside entity was hammering the dns server. Blocked them at the main router. Problem solved, until yesterday. Another entity was doing the same thing. Stopped them at the router today. Looking at the logs I still see others doing it. Is there a way, either in Win2000 DNS server or a Cisco router, to stop other computers from beating on my DNS server? The server needs to do dns lookups for our clients, and needs to be available to other internet DNS servers for information on domains we host. >From the DNS logs I've noticed most of these "problem" requests say received from 1.2.3.4 but the send goes to 5.6.7.8, if that makes it easier to stop. Just for the record, I've denied over 1,800,000 udp requests from 205.209.157.0/24 in less than an hour. Thanks, Greg --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.