Kapetanakis Giannis <bil...@edu.physics.uoc.gr> writes: > On 09/06/12 18:58, Kostas Zorbadelos wrote: > > Hi, >
Hi Giannis, > My understanding so far is that the queries hit your DNS servers from > your ISP network/clients Yes. > and are not spoofed. I didn't say that. > Also those queries hit the recursive/caching DNS > servers (open only to ISP network) > and they are of type ANY for a specific domain (example.com). > Yes. > If this is true then why not try to 'filter' on the application layer > than on the network? > I agree that this is the proper layer to address the issue. However this is not easy. > As far as I know BIND cannot block specific queries. You might want to > check unbound and local-data. > You can't just reimplement a very busy commercial setup overnight, especially in such a critical service. > Maybe you could try some kind of DNS-proxy to filter out the unwanted > queries, since there is a pattern. > Check http://thesprawl.org/projects/dnschef/ (haven't tested it). > I will take a look at it. > Alternatively you would want to implement that pf helper/'proxy' as > Henning suggested > which without doubt would be faster but you have to develop it. > Yes. > Last, run the iptables matching filter on the DNS's firewall itself (if > they run linux) > and not on the external firewalls. > This is what we did and what we will do again. > good luck, > > Giannis > Kostas
