change in reverse dns lookup behavior
Kevin Darcy
kcd at daimlerchrysler.com
Sat May 14 03:39:26 UTC 2005
Stafford, Paige L. wrote:
>210.146.35.35 stepped through our entire 128.219/16 address space
>yesterday asking for reverse DNS lookups. It started at 16:06 and ended
>at 20:34. This is the equivalent of a zone transfer.=20
>
Which in my mind only shows the futility of limiting "real" (AXFR) zone
transfers. All that does is heighten curiosity and induce the miscreants
to use other, more-intrusive methods to get at the data.
>I'm looking for a clever way of stopping this. And if we can't, we want
>to at least slow it down. Creating dummy records for the unused IP
>addresses has not been effective. =20
>
>*Any* ideas you have would be most welcome.
>
If you know the source address ahead of time, you can of course just
"blackhole" it. If you want to dynamically respond to this form of
abuse, then you need something like an IDS, as Barry mentioned.
- Kevin
More information about the bind-users
mailing list