Re: high volume from outside our networks question
Rich,
I suggest the following
minimal-responses yes; - set this global
blackhole { address_match_list }; - use the address_match_list file on
your pf.conf (freebsd)
with this combo, your bind should refuse queries when it's out-of-zone.
additional-from-auth yes;
additional-from-cache no;
goodluck,
-Beavis
On Wed, Jan 30, 2013 at 3:02 PM, rich carroll richcarr...@gmail.com wrote:
Currently our ISP's bind9 server is experiencing a lot of traffic. It looks
like we are being used to attack ip addresses. We do have our own domains
that host as well as resolving for our customers.
I have an acl for our subnets and we allow-recursion and allow-query-cache
for those subnets. The IP's of the abusing servers are outside of our
networks.
My assumption was that if the query came from outside our networks and it
wasn't for one of our domains then there wouldn't be a response, but this
isn't the case.
If I go outside our network and do a dig google.com @ourDNSserver I get:
; DiG 9.6.-ESV-R3 google.com @ns1.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 23403
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;google.com.IN A
;; AUTHORITY SECTION:
com.172800 IN NS a.gtld-servers.net.
com.172800 IN NS h.gtld-servers.net.
com.172800 IN NS l.gtld-servers.net.
com.172800 IN NS d.gtld-servers.net.
com.172800 IN NS c.gtld-servers.net.
com.172800 IN NS i.gtld-servers.net.
com.172800 IN NS m.gtld-servers.net.
com.172800 IN NS b.gtld-servers.net.
com.172800 IN NS j.gtld-servers.net.
com.172800 IN NS f.gtld-servers.net.
com.172800 IN NS e.gtld-servers.net.
com.172800 IN NS g.gtld-servers.net.
com.172800 IN NS k.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
a.gtld-servers.net. 172800 IN 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN A 192.33.14.30
b.gtld-servers.net. 172800 IN 2001:503:231d::2:30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
;; Query time: 2 msec
;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
;; WHEN: Wed Jan 30 14:50:32 2013
;; MSG SIZE rcvd: 500
Is it supposed to work like this? We are getting 100-600 of these a second.
Most are looking up isc.org. They are more then likely spoofed IP's and
someone is using our servers to attack people.
I spent some time doing google searches and mostly found that you need to
make sure you are only doing recursive lookups for your network, but that
hasn't solved our issue if we are still sending out responses.
--
Richard Carroll
richcarr...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Disclaimer:
http://goldmark.org/jeff/stupid-disclaimers/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: windows 2003 dns and bind9
some points to check - Any specific errors from the named.log? - Tried querying win2k3 and the bind box separately? AXFR checks? that's a good start On Thu, Jan 24, 2013 at 12:37 AM, newbie newbie@gmail.com wrote: morning all... i am currently using windows server 2003 dns AD and run domain let say example.com, and now i have another domain example.org, i use bind9 as master of example.org and transfer to my windows dns and i set example.org in my windows dns as secondary but it did not work?? can anybody helpme?? regards note: sorry for my bad english.. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Limit DNS Request per ip source ?
Just put an ACL filter on your bind config for recursive queries. this will make your dns less susceptible to flash-crowd type attacks. Cisco has a short document about this. http://www.cisco.com/web/about/security/intelligence/dns-bcp.html just check out the bind-centric info. discard the rest. regards, -B On Mon, Jan 14, 2013 at 1:06 PM, Gaurav Kansal gaurav.kan...@nic.in wrote: Dear All, I want to limit the dns request per ip source through iptables. I tried the following commands, but unfortunately didn’t succeed. -A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource -A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name DNSQF --rsource -j DROP If anyone is using iptables for limiting DNS Query per IP, then pl. help me out. Thanks and Regards, Gaurav Kansal Mob – 9910118448 Happy New Year 2013. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: measuring dns query
thanks for the reply Daniel this is what i need. On Thu, May 10, 2012 at 2:38 AM, Daniel Migault mglt@gmail.com wrote: Hi, Maybe you are looking for dnsperf and resperf [1]. We have done some tests similar to these in [2] and [3], so maybe it helps. Replaying captures of traffic may also be recommended especially to consider, for example, queries with no answers. At least for DNSSEC this matters. [1] http://www.nominum.com/resources/measurement-tools [2] http://www.iepg.org/2010-11-ietf79/iepg79-mglt.pdf [3] http://www-public.it-sudparis.eu/~lauren_m/articles/Migault-CNSM2010.pdf BR Daniel On Thu, May 10, 2012 at 7:21 AM, PFUnix Mail pfu...@gmail.com wrote: all, im looking for a way to measure dns queries and am looking for an opensource solution if possible. any suggestions? i want to measure the time it takes for 1DNS query in bind vs. dns Active-Directory integrated. thanks, B ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Daniel Migault Orange Labs / Security Lab +33 (0) 1 45 29 60 52 +33 (0) 6 70 72 69 58 -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
Just want to piggy back on this topic is there any documentation available online that shows a deployment guideline for Anycast? -beavis On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari war...@kumari.net wrote: On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote: The reason I’ve heard a few times is that users are uncomfortable using only 1 address. In the past I’ve done 2 or 3 addresses just so that we can give out 3 addresses that all point to the same pool of servers. Silly, I know, but sometimes it’s easier to placate than to change someone/groups understanding of the world/networking/resilience/dns/loadbalancing. It's partly silly, it's also partly not wanting to have all your eggs in one basket. Having more than one anycast address provides protection against things like routing attacks / leaks, overenthusiastic ACLs, router blackholes and similar. It also provides a backup in case the primary node chosen by your routing infrastructure is unavailable -- if you only have a single anycast address (192.0.2.1) and the instance chosen by your routing system is down (for example though a DoS, misconfiguration, etc) you have no service. If you have a second address (10.10.10.10) that is announced by a different constellation you have redundancy. Also, anycast provide the closest instance according to the *network topology* -- this doesn't always equate to fastest response -- if is not uncommon for a longer BGP path to have a shorter latency. providing multiple addresses allows the resolver to choose based upon time. W $0.02 t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo Sent: Tuesday, February 28, 2012 10:56 PM To: bind-users@lists.isc.org Subject: Anycast DNS Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
**another** connection timed out; no servers could be reached
I have 2 dns servers running the same zones,hints and named.conf each of them acts as a master (I do most of the updates of the zones i have through a script) I'm running a simple query from both of the box and it seems that I can't query the 2nd box. #1 box $ dig @1.1.1.10 www.yahoo.com ; DiG 9.3.4 @1.1.1.10 www.yahoo.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 31303 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.yahoo.com. IN A ;; ANSWER SECTION: www.yahoo.com. 300 IN CNAME www.wa1.b.yahoo.com. www.wa1.b.yahoo.com.60 IN CNAME www-real.wa1.b.yahoo.com. www-real.wa1.b.yahoo.com. 60IN A 69.147.76.15 www-real.wa1.b.yahoo.com. 60IN A 209.191.93.52 ;; AUTHORITY SECTION: wa1.b.yahoo.com.299 IN NS yf1.yahoo.com. wa1.b.yahoo.com.299 IN NS yf2.yahoo.com. ;; Query time: 219 msec ;; SERVER: 10.0.100.10#53(1.1.1.10) ;; WHEN: Tue May 26 17:52:42 2009 ;; MSG SIZE rcvd: 146 #2 box $ dig @1.1.1.11 www.yahoo.com ; DiG 9.3.4 @1.1.1.11 www.yahoo.com ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached both boxes sit on the same subnet, and they both have the same hints file. no fw(pf) installed on any of the boxes. if it's a straight forward query for box#2 it calls out the connection timed out; no servers could be reached but when i add the +trace on the query it can actually resolve the site. I'd did a bit of googling, and most of the posts i see regarding this is a firewall issue. any help would be awesomely appreciated. -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: **another** connection timed out; no servers could be reached
found what the problem is, i stop bind completely and re-run it again and the hintlist worked again. bug? maybe I'm running OpenBSD 4.2 and it's built-in bind server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
