How to block DNS record scans ?
Charles Cala
charles_cala at yahoo.com
Wed Apr 20 06:59:57 UTC 2005
--- Sylvan Andrew <sylvan_nids at norfolk.nf> wrote:
>
> Hello,
>
> Is their anyone who could help us it would be much appreciated. Two of
> our DNS servers are continually getting scanned with some type of script
> that trys every combination possible from A-Z.
A few questions
Is this an authoritative server for a zone
Is this just one zone in question, or all of *.nf.
Is this clogging up the pipe to the island (for everybody)
(I am assuming that your still running around 25 megs/second
total bandwidth for the island)
Is this traffic coming from one ip or a range?
Are there other scans/probes from this person
Is this related to the online gambling servers on the island?
Have you asked this persons ISP to stop it?
Probably the best defense is to modify the ACL of the
router BEFORE the traffic goes onto the cable/sat going
to your island.
If traffic load is not a concern than you can modify the
incoming router acl, or you can modify the allow queries line in bind.
If your feeling vindictive you can block the ip range of that isp,
Or if your sure that the queries are coming from an end user, you
can add a wild card record that lists
IN NS uratwit.example.com.
IN NS uratwit.example.net.
IN NS uratwit.example.org.
IN NS 1.0.0.127.in-addr.arpa.
And anything else you feel is proper.
Feel free to give us/me the source ip of your problems, and we
will see what can be done.
More information about the bind-users
mailing list