Deny query from a single IP

Thu Feb 26 18:02:45 UTC 2009

The point in the ACL is it allows you to grow the list of servers
without cluttering up the Options section.

-----Original Message-----
From: Prabhat Rana [mailto:prana9533 at yahoo.com] 
Sent: Thursday, February 26, 2009 12:43 PM
To: Eric C. Davis; Jeff Lightner
Cc: bind-users at lists.isc.org
Subject: RE: Deny query from a single IP

Thanks Eric. Using blackhole option sounds like feasible option to block
a IP address. Instead of using the acl can I just use the option
blackhole 
blackhole { xx.xx.xx.xx; };

The idea is to user file::tail perl module in a script to tail the stat
file continuously and if the condition occurs then pick the source IP
address and insert the line 
blackhole { xx.xx.xx.xx; };
in the named.conf under options and reload the configuration.

During these attacks we've experienced that named basically hangs
because it gets flooded with queries. With the blackhole option the
recursion part to internet from such queries can be avoided but we can't
avoid the incoming queries from the attacker. So we will need to test
this is determine how effective is it.

--- On Thu, 2/26/09, Jeff Lightner <jlightner at water.com> wrote:

> From: Jeff Lightner <jlightner at water.com>
> Subject: RE: Deny query from a single IP
> To: "Eric C. Davis" <eric at mail.rockefeller.edu>, prana9533 at yahoo.com
> Cc: bind-users at lists.isc.org
> Date: Thursday, February 26, 2009, 10:38 AM
> That being said you CAN do what you asked:
> 
> Create an ACL in named.conf:
> 
> # Blackhats ACL - zones to be used in blackhole statement -
> will prevent
> 
> # them from being allowed to query and will not respond to
> them.
> acl "blackhats" {
>         xx.xx.xx.xx;
> };
> 
> (Where you put the specific IP in place of the
> xx.xx.xx.xx.)
> 
> Then in options section add a line to use the ACL:
>         blackhole { blackhats; };
> 
> -----Original Message-----
> From: bind-users-bounces at lists.isc.org
> [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Eric
> C. Davis
> Sent: Thursday, February 26, 2009 11:24 AM
> To: prana9533 at yahoo.com
> Cc: bind-users at lists.isc.org
> Subject: Re: Deny query from a single IP
> 
> It is better do this with a real IPS rather than use your
> DNS server to 
> do this.  You should avoid having any unwanted traffic hit
> you DNS 
> servers ever.
> 
> Eric
> Prabhat Rana wrote:
> > Hello,
> > I have BIND 9.5running on a Solaris10 box. It provides
> recursive DNS
> service. I'm trying to implement a script where it
> reads the BIND stats
> file for all the incoming queries and if there are too many
> queries from
> a single user (source IP) it will block queries from that
> particular IP.
> In order for this to occur is there a parameter similar to
> allow-query
> that I can inject into the named.conf to block query from a
> single IP
> address when this condition occurs? Basically I'm
> trying to add a tool
> to detect potential DOS attacks where we see too many
> queries from one
> single IP. Any other suggestions would also be appreciated.
> >
> > Thanks
> > Prabhat.
> >
> >
> >
> >
> >
> >
> >       
> >
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >   
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>  
> Please consider our environment before printing this e-mail
> or attachments.
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
> or confidential information and is for the sole use of the
> intended recipient(s). If you are not the intended
> recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be
> unlawful. If you have received this electronic transmission
> in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank
> you.
> ----------------------------------

Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------