Script-kiddie / client <IP> query (cache) '<host>/MX/IN' denied
Denis BUCHER
dbucherml at hsolutions.ch
Tue Aug 3 19:09:41 UTC 2010
Le 03.08.2010 18:28, wllarso a écrit :
>> This seems to be due to a script-kiddie.
>> I would like to know if I can block hosts doing that at the level of
>> /etc/hosts.allow or should I do it at the level of Bind itself ?
>> And sorry if this is not 100% on topic, I know it's at the border
>> between BIND and OS...
>
> On topic question. Don't worry.
>
> You could always use the "blackhole" directive in the BIND configuration
> to avoid responding to this address.
Do you think it is better or equal to the firewall solution ?
> This will prevent your server from
> responding to queries from this address. See the BIND ARM for more info
> about how to use this. The problem is that this solution would prevent a
> DNS server at this address from querying your server for legitimate
> purposes. (Quickly, this address doesn't appear to be running a DNS server
> at the moment.)
Yes ;-)
> Then again, if you are running a firewall on your server (or in front of
> it), you could always block traffic from this address as an alternative
> too. This way your DNS server would never even see these queries to have
> to block.
Yes, that's what I did for the moment...
> But as a more complete solution, is this an authoritative server for some
> zone(s) that you are responsible for, or is this a recursive server for
> your customers?
It is a authoritative server for some domains, yes...
> If it is an authoritative server, then you should have it
> configured to not answer recursive queries for everyone in the world.
Yes that would be interesting, does it means that only authoritative
zones would be allowed in queries ? In fact it seems it does not answer
any query, as in the logs it says "denied". Am I right on this point or
not ?
> If
> it is a recursive server, then you should be limiting who can query it and
> not respond to non-authorized queries. You can use the BIND "view" to
> limit who is getting what from your server.
>
> Your logs indicate this this query was denied, so you may already have
> your server configured to not answer these queries from this address, so
> the last paragraph may not apply.
Ok
> But, it is worth looking at your
> configuration just to confirm your server is "reasonably" configured.
Ok I will check for that...
Thanks a lot for your advices, it makes things a little clearer for me
now :-)
Denis
More information about the bind-users
mailing list