denied NS/IN
Scott Haneda
talklists at newgeo.com
Wed Jan 21 01:54:47 UTC 2009
On Jan 20, 2009, at 5:44 PM, Mark Andrews wrote:
> In message <232B45F8-ACD3-427A-95E9-BC3CA5FC9499 at newgeo.com>, Scott
> Haneda writ
> es:
>> Hello, looking at my logs today, I am getting hammered with these:
>> 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
>> query (cache) './NS/IN' denied
>> 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
>> query (cache) './NS/IN' denied
>>
>> Repeated over and over, how do I tell what they are, and if they are
>> bad, what is the best way to block them?
>> --
>> Scott
>
> You should talk to your ISP to chase the traffic back to
> its source and get BCP 38 implemented there. BCP 38 is ~10
> years old now. There is no excuse for not filtering spoofed
> traffic.
>
> If the source doesn't want to implement BCP 38 then de-peering
> the source should be considered.
Is BCP 38 really as solid and plug and play as it sounds? In a
shared, or colo'd environment, can that ISP really deploy something
like this, without it causing trouble for those that assume unfettered
inbound and outbound traffic to their servers?
--
Scott
More information about the bind-users
mailing list