denied NS/IN
Nathan Ollerenshaw
chrome at stupendous.net
Fri Jan 23 18:36:37 UTC 2009
On 21/01/2009, at 10:40 AM, Scott Haneda wrote:
> Hello, looking at my logs today, I am getting hammered with these:
> 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
> query (cache) './NS/IN' denied
> 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
> query (cache) './NS/IN' denied
>
> Repeated over and over, how do I tell what they are, and if they are
> bad, what is the best way to block them?
> --
> Scott
Scott,
As you know, these are spoofed queries, created in the hope that you
will reflect traffic back to these IPs to assist in DDoSing them.
Patrik Rak posted to my blog an iptables rule, which is useful for
those of us running linux, that drops this specific type of recursive
query; namely IN NS queries against '.'.
iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
"0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001"
I've tested it, and it appears effective. I now have blessed silence
in my logfiles.
Ideally it'd be great to be able to track back through the internet
and get every single network operator to implement BCP 38, but while
that's getting done (and good luck with that), you at least have a
workaround.
At least until the kiddies change what kind of query they use ... god
forbid they work out what names an authoritative nameserver WILL
respond to and query that.
Hope this helps,
Nathan.
More information about the bind-users
mailing list