Is my BIND setup now not allowing "recursive dns dos attack"

Tony Toews tony at granite.ab.ca
Thu Dec 15 02:20:37 UTC 2005 

Folks

My web server is being used for "recursive dns dos attack" according to my 
upstream ISP.   I've been doing a lot of research and some 
reconfiguring.  I've setup the following in the named.conf file.   However 
there are still some very suspicious log entires.

Note that evergreeneco.com is not one of my domains although 
evergreeneco.ca is one of the domains.

Tony

========================================================
log file

14-Dec-2005 19:15:10.785 client 206.141.192.45#41604: query: 
evergreeneco.com IN A -E
14-Dec-2005 19:15:10.847 client 206.141.193.72#24127: query: 
evergreeneco.com IN A -E
14-Dec-2005 19:15:10.910 client 206.141.193.72#24127: query: 
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.644 client 206.141.192.45#41604: query: 
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.706 client 206.141.192.45#41604: query: 
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.769 client 206.141.193.72#24127: query: 
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.831 client 206.141.193.72#24127: query: 
evergreeneco.com IN A -E

===========================================================
named.conf file

acl mynameservers {localhost;};
/* acl myrecursers {any;}; */

options
{
     directory "C:\serversw\bind\etc";
     allow-transfer {mynameservers;};
     recursion no;
     additional-from-auth no;
     additional-from-cache no;
     version "";
};

/* remove/add the comment delimiters below to activate/disactivate logging */

logging
{
  channel my_file {file "C:\Data\logs\bind dns\dns.log"; severity debug; 
print-time yes; };
  category default {my_file;};
  category queries {my_file;};
  category lame-servers { null;};
};


zone "." {type hint; file "db.cache"; };
zone "evergreeneco.ca"   {type master; file "db.evergreeneco.ca.txt";};

============================================
evergreeneco.ca.txt file

;forward zone file: evergreeneco.ca
;
$TTL 86400
@ SOA ns1.granite.ab.ca. ttoews.mvps.org. (
  2005112701	; zone serial number in ccyymmddxx format
  3600		; slave polls master for SOA/serial number
  1800		; slave re-polls unreachable master
  1209600        ; slave expires zone after master unreachable
  3600 		; TTL for negative answers
  )
;
;nameservers
@ NS	ns1.granite.ab.ca.
@ NS	ns2.granite.ab.ca.
;
;mail
@ MX 10 mail				; internet sends mail here
;
@	A	216.123.231.118		; for URL without www prefix
mail	A	216.123.231.118		; email
www	A	216.123.231.118		; www
ftp	A	216.123.231.118		; ftp
;
; following are SPF lines common to all
@	TXT	"v=spf1 a mx ptr -all"	; spf
mail	TXT	"v=spf1 a -all"		; spf
118.216-123-231-0.interbaun.com. IN TXT "v=spf1 a -all" ; spf

-----
Tony Toews, Microsoft Access MVP
Microsoft Access Links, Hints, Tips & Accounting Systems at
    http://www.granite.ab.ca/accsmstr.htm

More information about the bind-users mailing list