Bind ANY ANY Query Denial of Service
Brad Knowles
brad at stop.mail-abuse.org
Wed Aug 10 09:22:38 UTC 2005
At 3:50 PM -0700 2005-08-09, srv1054 at gmail.com wrote:
> The DoS attacks are targeted at our entire IP blocks, and because of
> the above mentioned bug, any of these CPE that happen to get hit will
> forward the DNS request to our caching servers. So it appears we are
> being attacked by our own customer base. When this happens we get
> thousands of queries from thousands of our own IP's that are all
> querying for ANY ANY.
Try blocking these incoming queries to your CPE at the routers.
If these bogus queries can't come in from the outside network, then
the CPE won't forward them to your nameservers, and there is no
problem.
> We've been around a million ways to solve this problem but we need a
> fast way to make BIND not respond to this type of query, until we can
> fix the greater problem which is patching all of the CPE to a version
> that does not allow DNS forwarding from external interfaces. (ya
> pretty dumb)
You want a fast solution? Pay ISC for a support contract, and
I'm sure that they'll help you find a fast solution that will meet
your business needs. Short of that, you're dependant on the open
source community to help you in their Copius Spare Time(tm).
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list