strange queries in my DNS
Victor Hugo dos Santos
listas.vhs at gmail.com
Mon Apr 25 12:30:05 UTC 2011
On Fri, Apr 22, 2011 at 3:34 AM, Matthew Seaman
<m.seaman at infracaninophile.co.uk> wrote:
Hello Matthew,
> This is an attempt to use your DNS servers as a traffic amplifier in a
> DoS attack. By sending a spoofed query for the root '.' the attackers
> cause your DNSes to send kilobytes of the root zone to the target IP
> (208.100.46.116 and 77.204.11.139 are the victims here, not the
> perpetrators). Do that against enough other DNS servers simultaneously
> and it will flood the target host.
>
> There are several variations on this -- see
>
> http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf
>
> The best answer to this sort of thing is for network providers to filter
> obviously spoofed traffic at their interchange points, but that is
> (presumably) outside your control. You can mitigate the problem by
> caareful use of the 'allow-query', 'allow-query-cache' and
> 'additional-from-cache' directives in your BIND configuration so you
> only answer recursive queries for your trusted networks.
Yes.. I already readed about DNS amplifier attack.. but in
amplification attack, the query is about ".", but in my case, the
queries isn't by the "root", but for "unused type" !!!!
about the configuration, I can't apply the "allow-query" to restrict
my DNS, because this is a authoritative server of many domains and I
have the recursion disabled to external views.
thanks
--
--
Victor Hugo dos Santos
Linux Counter #224399
More information about the bind-users
mailing list