Millions of './ANY/IN' queries denied
Reindl Harald
h.reindl at thelounge.net
Wed Dec 15 13:44:59 UTC 2021
Am 15.12.21 um 14:33 schrieb Andrew P.:
> So why isn't there a way to tell BIND not to respond to queries for which it clearly is not authoritative (such as these attack vectors)? Since no legitimate resolver would be asking a non-authoritative server for information, why should his (or my) public BIND server respond to these even with an error message?
because in case of UDP it would make things much worser
how do the client smell that you didn't respond by purpose and distinct
it from packet loss leading to retries?
------------------
"Since no legitimate resolver would be asking a non authoritative server
for information" isn't true at all
years ago we moved a server to a different location and all sorts of ISP
resolvers did respond with old IPs months later, the dumbest one even
played lottery responding 50% old and 50% new IP
i found that out by random complaints because one domain had 60 count
subdomains and started to query all open rsolvers i was able to find
with script's - a tragedy
that machine was sadly the primary NS for 800 domains and over the
months the old ip could have been ru-used for a new customer running a
nameserver for completly different domains
------------------
long story short: no sane service should supress replies completly
unless a explicit blacklist saying so is involved
> ________________________________________
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Ondřej Surý <ondrej at isc.org>
> Sent: Wednesday, December 15, 2021 7:18 AM
> To: Danilo Godec
> Cc: bind-users at lists.isc.org
> Subject: Re: Millions of './ANY/IN' queries denied
>
>> Would I be doing a bad thing by using fail2ban to block these IPs?
>
> That’s the question that only you can answer. The IP addresses are
> not attacker’s but victim’s and you would be punishing those networks
> by blocking access from them to your network.
>
> Do you absolutely know that these IP addresses doesn’t need access
> to your DNS? If yes, then go ahead.
More information about the bind-users
mailing list