Re: Millions of './ANY/IN' queries denied

2021-12-15 Thread John Kristoff 
On Wed, 15 Dec 2021 12:51:19 +0100
Danilo Godec via bind-users  wrote:

[...]
> 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0
> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied

This can be common noise you'll see if any external source can get
queries to your server.  It looks like you are denying the queries,
which are probably rd=1 queries.  That is good.  If your server is
auth-only, then it is probably easiest and least harmful.  These are
most likely clients looking for open resolvers.  For example, the
address below has shown up in the signals data doing just that since at
least early November with a project associated with the domain of my
email.

> I'm guessing this is some sort of an reflection attack attempt, but I
> don't quite understand if these are the perpetrators or victims?

If you're refusing the queries, most likely they are Internet surveyors
and scanners.  Some of that may be for reasonable cataloging and
alerting services, other times it is by miscreants looking for servers
to use for reflection attacks.

> Would I be doing a bad thing by using fail2ban to block these IPs?

This might be dangerous.  If someone spoofs a well formed UDP query
that does what the above does and you block it, what if the spoofed
source is something you don't want blocked?  This doesn't happen often,
but I've seen it happen and people have gotten badly burned by it.

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Using RRL to for TC=1 on all queries

2021-06-19 Thread John Kristoff 
Has anyone configured BIND to force TC=1 responses on all queries using
RRL?I'd like to do this for some experimentation and measurement
work, but maybe this just isn't the right tool for that job?

I've tried a number of configurations (e.g. slip=1, rate=0) and I can't
seem to make this work.  Perhaps it is not possible.

I believe I can do this with dnsdist or Knot, so I might use one of
those, but I was hoping I could accomplish such a thing with BIND
without modifying the source code - and I think RRL would be the most
likely way to accomplish such a feat.  If you've done so and can provide
a config snippet, I would be very eager to receive it.

Thank you,

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting "query failed (REFUSED) for ./IN/ANY"

2021-01-13 Thread John Kristoff 
On Wed, 13 Jan 2021 10:21:19 +0100
Alessandro Vesely  wrote:

> Yesterday I got 42639 of those, from 41 different IPs, the most frequent 
> clients looking like so:
> 821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]* 
> ([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at 
> .bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c 
> |sort -rn |head
> 4957 68.42.225.19
> 2914 73.73.73.73
> 2868 24.21.125.251
> 2783 193.70.81.112
> 2440 73.73.3.73
> 2273 101.71.138.9
> 2032 74.74.74.8
> 1814 98.25.235.45
> 1785 209.94.134.20
> 1756 73.109.143.81

Through a side project I report on IN ANY queries and have seen all of
those addresses and more as you can examine here:

  

Some may be sourced from a security/research survey project, but some
sources performing this may be for more nefarious purposes - building a
list of open resolvers that will answer for the purposes of maintaining
an amplication/reflection hit list.

Unfortunately there are many open resolvers that answer, but perhaps
except for a name you are authoritative for, responding with a REFUSED
response is generally considered reasonable and appropriate.

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users