How can I tell in the log if a query was successful or refused due to recursion?
Mark Andrews
Mark_Andrews at isc.org
Thu Dec 15 02:41:04 UTC 2005
> Folks
>
> I'm told that my DNS server is participating in "recursive dns dos
> attack". So I've locked things down I think. More on that to follow as a
> separate posting. So I'm looking at my log entries and I'm seeing the
> same kind of traffic now as before I removed the recursion option.
>
> How can I tell in the log if a query was successful or refused due to
> recursion? An example of my current log follows:
>
> 14-Dec-2005 18:37:24.145 client 216.18.224.133#41538: query: e.tn.co.za ANY
> ANY +E
> 14-Dec-2005 18:37:25.599 client 216.18.224.133#51561: query: e.tn.co.za ANY
> ANY +E
> 14-Dec-2005 18:37:26.067 client 216.18.224.133#46417: query: e.tn.co.za ANY
> ANY +E
> 14-Dec-2005 18:37:27.630 client 216.18.224.133#43677: query: e.tn.co.za ANY
> ANY +E
> 14-Dec-2005 18:37:28.114 client 216.18.224.133#58498: query: e.tn.co.za ANY
> ANY +E
>
> Bind 9.3.1 on a Win 2003 Server. Serving as DNS for 23 very low traffic
> domains hosted on that same system.
>
> Thanks, Tony
allow-recursion will let the nameserver return whatever is in
the cache.
allow-query can be used to restrict access to the cache contents
and REFUSED will be returned. If you use allow-query at the options
level don't forget to specify "allow-query { any; };" at the zone
level.
In practice you should report this to your upstream so the forged
traffic can be traced down and stopped.
Implementing BCP (Best Current Practic) 38 (RFC2827) is the way to
stop this sort of abuse.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list