Re: connection timed out; no servers could be reached
On Sat, 07 Mar 2009 22:03:14 -0500, R Dicaire faxed us with On Sat, Mar 7, 2009 at 8:44 PM, Bill Landry b...@inetmsg.com wrote: I have to admit that I am a bit baffled by this one. =A0I can query against my bandwidth providers name servers (Comcast) and get name resolution just fine for the hostname www.malware.com.br: Check firewall settings. Connection timed out is typically a firewall issue. -- = aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Concur, The open up 53 (sometimes) then block UDP -- Replica Watches - TRY LIDL - Cheap meds? Visit your GP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: will blocking getting hammered by cache request do anything?
Hi All: my 9.6.0 server is getting hammered by cache requests from a specific IP (62.109.4.89) which traces back to what looks like a DSL netblock in Russia: 05-Mar-2009 12:18:01.883 queries: info: client 62.109.4.89#53157: query: . IN NS + 05-Mar-2009 12:18:01.883 security: info: client 62.109.4.89#53157: query (cache) './NS/IN' denied I assume that this is some unpatched server (because currently I only see this single IP trying to connect), but is there any way to tell the difference between that and a deliberate DDOS attack? Actually, this is almost certainly someone trying to use your server as part of a DNS amplification attack ON that server. The source IP is spoofed, with the goal of getting lots of servers to send large replies to it. But since you have recursion and query-cache disabled for external IPs, you're not amplifying anything. My subnet is on a Verizon 3Mbps static business DSL connection with a router/firewall NAT'ing the incoming traffic. My question is, will blocking this from the firewall in front of the box help in any way to mitigate it's effect on the server? Or do I need to get my upstream provider to block this IP for it to have any impact? The server isn't choking on the volume of requests (yet), and I'm wondering if blocking the requests at the border of the network would do anything meaningful? If you block it on the firewall, then the requests will never hit the server, so of course it will mitigate its effect on the server. It won't help with the downstream bandwidth on your DSL, but it will stop the REFUSED replies from being sent back, so your upstream bandwidth will improve. Thanks Barry: you mentioned that the IP is being spoofed...does that mean the IP in the log is not the actual IP that sent the request? If so, would blocking it actually work? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: will blocking getting hammered by cache request do anything?
On Sun, 8 Mar 2009, enigmedia wrote: Hi All: my 9.6.0 server is getting hammered by cache requests from a specific IP (62.109.4.89) which traces back to what looks like a DSL netblock in Russia: 05-Mar-2009 12:18:01.883 queries: info: client 62.109.4.89#53157: query: . IN NS + 05-Mar-2009 12:18:01.883 security: info: client 62.109.4.89#53157: query (cache) './NS/IN' denied I assume that this is some unpatched server (because currently I only see this single IP trying to connect), but is there any way to tell the difference between that and a deliberate DDOS attack? Actually, this is almost certainly someone trying to use your server as part of a DNS amplification attack ON that server. The source IP is spoofed, with the goal of getting lots of servers to send large replies to it. But since you have recursion and query-cache disabled for external IPs, you're not amplifying anything. My subnet is on a Verizon 3Mbps static business DSL connection with a router/firewall NAT'ing the incoming traffic. My question is, will blocking this from the firewall in front of the box help in any way to mitigate it's effect on the server? Or do I need to get my upstream provider to block this IP for it to have any impact? The server isn't choking on the volume of requests (yet), and I'm wondering if blocking the requests at the border of the network would do anything meaningful? If you block it on the firewall, then the requests will never hit the server, so of course it will mitigate its effect on the server. It won't help with the downstream bandwidth on your DSL, but it will stop the REFUSED replies from being sent back, so your upstream bandwidth will improve. Thanks Barry: you mentioned that the IP is being spoofed...does that mean the IP in the log is not the actual IP that sent the request? If so, would blocking it actually work? This question has come up before and I commented thusly with a response from Mark Andrews: Using allow-query to deny some queries still takes time and resources from your server as it then sends a denied message back to the query source. As the source is spoofed it then contributes in a small way to the DDoS attack. I think it is better to just drop the queries on your firewall. I found this entry for iptables on the list a while back and it works well and drops around a thousand queries a day. iptables -A INPUT -i $LOCALIF -j DROP -p udp --dport domain -m u32 --u32 0220...@1216=10220...@2024=00220...@21=0x00020001 Mark replied: Well you opinion does not match the collective wisdom of dnsop and dnsext working groups. These working groups looks at the issue a while ago and concluded that sending REFUSED was the best response overall. Unless you know the packet was forged then dropping it does additional damage. Send REFUSED turns you from a amplifies into a obscurer. The best thing you can do is make sure that you have deployed BCP 38 on your network. This will prevent you being a source of spoofed traffic. The next best thing you can do is track or get your ISP to track the offending traffic back to its source and request the BCP 38 be deployed there. That way everybody in the world is in a better position. You can't detect all reflection attacks at the reflector. This one is a easy one to detect. You can however work to close down the holes in the global BCP 38 defences. This attack provides a perfect opportunity to chase down those holes. Mark Mark made that comment and it made sense to me. A thousand queries daily is a negligable load on my server and being an obscurer could be a good thing. Dropping the queries at the firewall does make my logging easier to scan though, and, being selfish, I have opted to continue dropping them. I'm just a small user and it is the path of least resistence. I have noticed the attacks are sporadic and I'll go a week or so without any and then they recur for a couple of days. Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: will blocking getting hammered by cache request do anything?
One thing I should add is that chasing down lack of BCP38 compliance isn't wack-a-mole though it may feel like it. This is a configuration change and as such tends to be premanent especially once it get written into the procedures documents. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zonefiles CIDR
In article gp065t$bm...@sf1.isc.org, Stephen Ward stephen.usenet.w...@wibblywobblyteapot.co.uk wrote: Just a quick silly question. Running BIND9 (someone kindly raped to get it to work on windows) but it does not seem to support CIDR ranges. I mostly use it to block unwanted email by connecting IP (glorified reverse DNS). Rather than have to enter loads of lines to match up wide spans of ranges I would like to define them using CIDR, but it seems it does not support it. Maybe you can do what you want with $GENERATE? -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Zonefiles CIDR
There are other DNS servers that do a better job for RBLs. Frank -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stephen Ward Sent: Sunday, March 08, 2009 5:20 AM To: comp-protocols-dns-b...@isc.org Subject: Zonefiles CIDR Just a quick silly question. Running BIND9 (someone kindly raped to get it to work on windows) but it does not seem to support CIDR ranges. I mostly use it to block unwanted email by connecting IP (glorified reverse DNS). Rather than have to enter loads of lines to match up wide spans of ranges I would like to define them using CIDR, but it seems it does not support it. I'm probably being really thick - but is this so?! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zonefiles CIDR
Stephen Ward wrote: Just a quick silly question. Running BIND9 (someone kindly raped to get it to work on windows) but it does not seem to support CIDR ranges. I mostly use it to block unwanted email by connecting IP (glorified reverse DNS). Rather than have to enter loads of lines to match up wide spans of ranges I would like to define them using CIDR, but it seems it does not support it. I'm probably being really thick - but is this so?! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users I do a similar thing with BIND in my network I take IP ranges for certain countries and set up a blocklist using reverse format. BIND will work with CIDR but in a very limited way. Heres an example from my list: *.82.77 IN A 127.0.0.3 The stetment above will block a whole /16 *.191.79.77 IN A 127.0.0.3 The statement above will block a whole /24 So, you just have to set up your script to break things down by /8, /16, or /24. Thats about the best you can do. Darin - ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hostname Naming Compliance
Kevin Darcy wrote: But, as far as I can tell, there's no *practical* reason to disallow underscores, other than the fact that it may trip the standards-checking code of some _other_ piece of software. So, piece of software A disallows underscores because it's worried about causing a problem for piece of software B, and piece of software B keeps the restriction because it's worried about about causing a problem for piece of software C, and piece of software C keeps the restriction because it's worried about causing a problem for piece of software A. I had a case a year or two ago where a system had a host name with an underscore in it and as a result it was unable to make a number of connections. I don't remember the details any more but removing the underscore solved the problem. It was running Windows which is why it was allowed to get that hostname in the first place. It was easier for me to point to the RFC's to get the sysadmins to change it than to figure out what was causing it to trip up and fail. There are too many failure paths. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users