Fw: How to block DNS record scans ? (more info)
Sylvan Andrew
sylvan_nids at norfolk.nf
Mon Apr 25 22:44:49 UTC 2005
Hello,
Wow ! Thanks so much to all the people who responded and passed on some
great ideas.
Unfortunately we can't block by source address of the DNS request because
they are using legit open DNS servers to do the requests. For nearly every
DNS request they seem to use a different source IP. Regardless of source IP
the requests follow a logical alphabetical order. I estimated they are using
a pool of more than 20 plus DNS servers.
One suggestion from Stephan was:
> As a first step... agreed.
> But that shouldn't be the final solutions as he will be always one step
> behind a possible attacker. I would strongly suggest an intelligent IDS /
> IPS which recognizes such attacks and blocks them dynamically
Has anybody had any successful experiences with this ?
I don't know much about Bind but it seems a shame that it hasn't got a
'don't bother replying to wanker requests' switch built in.
Any other ideas or a way to achieve this are much appreciated.
Thanks
Sylvan
>Hello,
>Is their anyone who could help us it would be much appreciated. Two of
>our DNS servers are continually getting scanned with some type of script
>that trys every combination possible from A-Z.
> Rather than limit the amount of DNS requests our servers handle on a time
> basis is there anyone who knows a way to modify the response to a entry
> record not being found ?
> Basically we'd want it so that if it was a valid entry bind would reply
> straight away, if it was a invalid entry we'd like rather than a immediate
> 'not found' response to modify it so it just times out.
> Does anyone have and ideas where in Bind we could modify it to do this ?
> Does anyone have any other ideas to combat this problem ?
>Thanks for your time.
>Regards
>Sylvan
More information about the bind-users
mailing list