On Sat, Feb 14, 2004 at 09:03:14PM -0700, fbsdq wrote:
> Sorry about the earlier question, that was more or less just blank.... 
> Hello,
>  About a week ago I started noticing 3,000 or more requests coming from  
> several ips for the following DNS queries:
>     XX+/
>     XX+/ 
>  Those are just two examples, but each IP - I have about 20 of them now 
> create 3,000 or more queries within several minutes.  All the queries are 
> exactly the same for ./ANY/ANY.....any idea what those queries are? or what 
> they are trying to do?

Curious.  Are those IPs taken literally from your log files?  One of
them belongs to the University of Iowa and the other to belongs to
Millenium Communications S.A. in Poland.  Seems that some arbitrary
collection of machines are trying to do arbitrary lookups on your DNS

Have you configured your nameservers so that they will refuse to do
recursive queries for strangers?  There's various cache poisoning
tricks that can be done if your DNS server is both recursive and
authoritative for your own domains.  There's some good pages about how to
secure various versions of BIND at


Those are aimed mainly as Solaris users, so there's whole sections
about how to compile which you can just skip over. The 'take home'
point is how to use the 'allow-query', 'allow-transfer' and
'allow-recursion' configuration directives correctly.

>  Also how can I create an 'ipfw' rule to block an ip if XX amount of 
> connections come in within XX amount of minutes/seconds??  Right now I 
> manually block them, and yes those IP's try a day or so later to DNS bomb 
> (?) my machine. 

I think my approach to this would be to write a script that trawls
through /var/log/security or your DNS server logs picking out the
malefactors and then writes and inserts appropriate IPFW rules --
probably on an hourly basis.  Clever use of ipfw's 'set N' syntax will
make administering mixing in these machine generated rules together
with your other rules much easier.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to