Is my BIND setup now not allowing "recursive dns dos attack"
Tony Toews
tony at granite.ab.ca
Thu Dec 15 02:20:37 UTC 2005
Folks
My web server is being used for "recursive dns dos attack" according to my
upstream ISP. I've been doing a lot of research and some
reconfiguring. I've setup the following in the named.conf file. However
there are still some very suspicious log entires.
Note that evergreeneco.com is not one of my domains although
evergreeneco.ca is one of the domains.
Tony
========================================================
log file
14-Dec-2005 19:15:10.785 client 206.141.192.45#41604: query:
evergreeneco.com IN A -E
14-Dec-2005 19:15:10.847 client 206.141.193.72#24127: query:
evergreeneco.com IN A -E
14-Dec-2005 19:15:10.910 client 206.141.193.72#24127: query:
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.644 client 206.141.192.45#41604: query:
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.706 client 206.141.192.45#41604: query:
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.769 client 206.141.193.72#24127: query:
evergreeneco.com IN A -E
14-Dec-2005 19:15:14.831 client 206.141.193.72#24127: query:
evergreeneco.com IN A -E
===========================================================
named.conf file
acl mynameservers {localhost;};
/* acl myrecursers {any;}; */
options
{
directory "C:\serversw\bind\etc";
allow-transfer {mynameservers;};
recursion no;
additional-from-auth no;
additional-from-cache no;
version "";
};
/* remove/add the comment delimiters below to activate/disactivate logging */
logging
{
channel my_file {file "C:\Data\logs\bind dns\dns.log"; severity debug;
print-time yes; };
category default {my_file;};
category queries {my_file;};
category lame-servers { null;};
};
zone "." {type hint; file "db.cache"; };
zone "evergreeneco.ca" {type master; file "db.evergreeneco.ca.txt";};
============================================
evergreeneco.ca.txt file
;forward zone file: evergreeneco.ca
;
$TTL 86400
@ SOA ns1.granite.ab.ca. ttoews.mvps.org. (
2005112701 ; zone serial number in ccyymmddxx format
3600 ; slave polls master for SOA/serial number
1800 ; slave re-polls unreachable master
1209600 ; slave expires zone after master unreachable
3600 ; TTL for negative answers
)
;
;nameservers
@ NS ns1.granite.ab.ca.
@ NS ns2.granite.ab.ca.
;
;mail
@ MX 10 mail ; internet sends mail here
;
@ A 216.123.231.118 ; for URL without www prefix
mail A 216.123.231.118 ; email
www A 216.123.231.118 ; www
ftp A 216.123.231.118 ; ftp
;
; following are SPF lines common to all
@ TXT "v=spf1 a mx ptr -all" ; spf
mail TXT "v=spf1 a -all" ; spf
118.216-123-231-0.interbaun.com. IN TXT "v=spf1 a -all" ; spf
-----
Tony Toews, Microsoft Access MVP
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
More information about the bind-users
mailing list