Preventing the 'other' type of zone transfer
Barry Margolin
barmar at alum.mit.edu
Sat May 14 01:06:26 UTC 2005
In article <d636nq$2gjl$1 at sf1.isc.org>, "mayer" <mayer at gis.net> wrote:
> ----- Original Message Follows -----
> > 210.146.35.35 stepped through our entire 128.219/16=20
> > address space yesterday asking for reverse DNS lookups. =20
> > It started at 16:06 and ended at 20:34. This is the=20
> > equivalent of a zone transfer.=20
> > =20
> > I'm looking for a clever way of stopping this. And if we=20
> > can't, we want to at least slow it down. Creating dummy=20
> > records for the unused IP addresses has not been effective. =20
> >
>
> options {
> blackhole {210.146.35.35;};
> }
>
> Then the server won't respond to any queries from that address.
> Of course that means all queries and not just for your reverse
> zone. Expect to have to add to the list when they figure out
> that you're block that IP address. You can of course do this at
> the router level before it even hits your servers.
I think the OP is looking for a way to prevent *other* people from doing
this. By the time they discover that it has happened, it's probably too
late to blackhole that address -- they've already completed their DNS
scan.
In fact, I wonder how they discovered this in the first place? A /16 in
4.5 hours is about 4 queries/second, which hardly seems likely to set
off any alarms.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list