I think our dns servers are being used like this message. https://lists.isc.org/pipermail/bind-users/2009-January/074639.html What got my attention is that I ran out of space for the logs. I tweaked log rotation and got rid of some unneeded logging. All 3 advocap.org authoritative dns servers are being hit. At least we are not ones being attacked. Recurse lookups are not allowed.
Have a lot of log entries like this. Jan 31 10:56:48 fonroute named[17884]: client 70.86.80.98#23535: query (cache) './NS/IN' denied At least I'm not sending back the cache but just a denied message. about 3 different ips are referenced. Some times about 2-3 per second per ip. Other times about 10 per minute per ip. I want to at least minimize us being used to attack and reduce logging. For now I am blocking a couple ips. How about rule like this: Limit:info:DNSA,20,300 net loc udp domain Considerations: Do not want to stop lookups of advocap.org Don't want to stop transfers to/from slaves. Isn't that via tcp anyway? advocap.org doesn't have that much to lookup. Only about a dozen entries and suspect most are for mail.advocap.org www.advocap.org and for spf text. Any idea what good limits would be? Thanks John -- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
