On Wed 14/Apr/2021 00:37:22 +0200 Richard T.A. Neal wrote:
Julien Salort wrote:
Reading this thread, I considered simply enabling the fail2ban named-refused
jail, but they advise against it because it would end up blocking the victim
rather than the attacker.
I'm happy to be corrected by
On Wed, 2021-04-14 at 08:07 +, Richard T.A. Neal wrote:
>
> Just out of interest, because I run some services on OVH, I know what
> that term means. When you rent a dedicated server from OVH you are
> assigned a single IPv4 address. Let's assume that you then want to use
> VMware or Hyper-V
Paul Kosinksi wrote:
> Interesting observation. I just did lookups on 4 recent (< 24 hrs ago)
> 'sl/ANY/IN' queries logged by our BIND and got:
> ...1 OVH Hosting IP (Montreal)
> The whois info for the OVH IP contains the line:
> Comment: Failover IPs
Just out of interest, because I run some
IN' denied
Apr 13 22:44:04 ns02 named[9487]: client @0x7fc8740c7310
46.102.130.246#80 (sl): query (cache) 'sl/ANY/IN' denied
--Brett
-- Original Message --
From: "Richard T.A. Neal"
To: "bind-users@lists.isc.org"
Sent: Apr 13, 2021 17:42:28 PM
Subject: FW
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Tue, 2021-04-13 at 22:42 +, Richard T.A. Neal wrote:
> Yes, another individual & I were discussing this off-list today. We
> wonder if those queries are from malware on infected hosts that are
> trying to determine whether a given nameserver
> In the particular case of the .sl denied queries, I don't think these are
> forged queries from the attack victim. Something else is going on here. We
> see queries from systems like these, almost exclusively consumer endpoints:
[snipped]
> It seems unlikely that someone is trying to attack
Julien Salort wrote:
> Do you block specifically the dns queries in the firewall, or straight out
> block the IP?
I specifically block both UDP 53 and TCP 53, but that's essentially a full
block because these servers are only running BIND, nothing else.
> Reading this thread, I considered
7 matches
Mail list logo