strange queries in my DNS

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Apr 22 06:34:52 UTC 2011 

On 21/04/2011 19:54, Victor Hugo dos Santos wrote:
> Hello masters.
> 
> the last week I had a strange queries logged in my DNS. In this
> momment I only block the IP (77.204.11.139) source and forguet of this
> theme.
> 
> but, today.. I have the same query registered in my logs and from
> other source (208.100.46.116).
> 
> ==================
> 21-Apr-2011 15:20:16.081 queries: info: client 208.100.46.116#1552:
> view externo: query: . ANY RESERVED0 +
> 21-Apr-2011 15:20:16.143 queries: info: client 208.100.46.116#6674:
> view externo: query: . ANY RESERVED0 +
> 21-Apr-2011 15:20:16.205 queries: info: client 208.100.46.116#21602:
> view externo: query: . ANY RESERVED0 +
> 21-Apr-2011 15:20:16.269 queries: info: client 208.100.46.116#55331:
> view externo: query: . ANY RESERVED0 +
> ==================
> 
> 
> now, I have the new IP blocked, but if I unblock it.. the server show
> a 20/30 queries by second from this IP !!!
> 

This is an attempt to use your DNS servers as a traffic amplifier in a
DoS attack.  By sending a spoofed query for the root '.' the attackers
cause your DNSes to send kilobytes of the root zone to the target IP
(208.100.46.116 and 77.204.11.139 are the victims here, not the
perpetrators).  Do that against enough other DNS servers simultaneously
and it will flood the target host.

There are several variations on this -- see

http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf

The best answer to this sort of thing is for network providers to filter
obviously spoofed traffic at their interchange points, but that is
(presumably) outside your control.  You can mitigate the problem by
caareful use of the 'allow-query', 'allow-query-cache' and
'additional-from-cache' directives in your BIND configuration so you
only answer recursive queries for your trusted networks.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110422/0880e56b/attachment.bin>

More information about the bind-users mailing list