Dear Folks, Our DNS caches are subject to a massive load of queries which resulted initially in SERVFAIL. The pattern is a parent DNS domain, with queries for tens of thousands of apparently randomly generated subdomains all initially resulting in SERVFAIL.
I have written code to analyse the query-errors log to detect these patterns and blackhole the entire domain automatically. I can tidy the code up and make it freely available if there is sufficient interest. However, there are some legitimate DNS domains under which these malicious subdomains appear. Recent occurrences have been www.appledaily.com.tw, and www.popvote.hk. These attacks under those domains are ongoing. We are using BIND 9.8. Can anyone suggest a good scalable method of allowing queries to a parent domain, but blocking all queries to all its subdomains? -- Nick Urbanik http://nicku.org 808-71011 [email protected] GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
