Script-kiddie / client <IP> query (cache) '<host>/MX/IN' denied
Lightner, Jeff
jlightner at water.com
Tue Aug 3 19:21:59 UTC 2010
Blackhole isn't better IMHO because I found in the past that they still try your server ad nauseum even though they're blocked - blocking at iptables is doing it at kernel level before BIND. However it does work and is certainly one way to do it especially on systems that don't have their own firewall. Also blackhole only affects DNS traffic - iptables will let you drop all packets from the source site if you want.
-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org [mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf Of Denis BUCHER
Sent: Tuesday, August 03, 2010 3:10 PM
To: wllarso
Cc: bind-users at isc.org
Subject: Re: Script-kiddie / client <IP> query (cache) '<host>/MX/IN' denied
Le 03.08.2010 18:28, wllarso a écrit :
>> This seems to be due to a script-kiddie.
>> I would like to know if I can block hosts doing that at the level of
>> /etc/hosts.allow or should I do it at the level of Bind itself ?
>> And sorry if this is not 100% on topic, I know it's at the border
>> between BIND and OS...
>
> On topic question. Don't worry.
>
> You could always use the "blackhole" directive in the BIND configuration
> to avoid responding to this address.
Do you think it is better or equal to the firewall solution ?
> This will prevent your server from
> responding to queries from this address. See the BIND ARM for more info
> about how to use this. The problem is that this solution would prevent a
> DNS server at this address from querying your server for legitimate
> purposes. (Quickly, this address doesn't appear to be running a DNS server
> at the moment.)
Yes ;-)
> Then again, if you are running a firewall on your server (or in front of
> it), you could always block traffic from this address as an alternative
> too. This way your DNS server would never even see these queries to have
> to block.
Yes, that's what I did for the moment...
> But as a more complete solution, is this an authoritative server for some
> zone(s) that you are responsible for, or is this a recursive server for
> your customers?
It is a authoritative server for some domains, yes...
> If it is an authoritative server, then you should have it
> configured to not answer recursive queries for everyone in the world.
Yes that would be interesting, does it means that only authoritative
zones would be allowed in queries ? In fact it seems it does not answer
any query, as in the logs it says "denied". Am I right on this point or
not ?
> If
> it is a recursive server, then you should be limiting who can query it and
> not respond to non-authorized queries. You can use the BIND "view" to
> limit who is getting what from your server.
>
> Your logs indicate this this query was denied, so you may already have
> your server configured to not answer these queries from this address, so
> the last paragraph may not apply.
Ok
> But, it is worth looking at your
> configuration just to confirm your server is "reasonably" configured.
Ok I will check for that...
Thanks a lot for your advices, it makes things a little clearer for me
now :-)
Denis
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
More information about the bind-users
mailing list