high volume from outside our networks question
Beavis
pfunix at gmail.com
Sat Feb 2 22:09:30 UTC 2013
Rich,
I suggest the following
minimal-responses yes; - set this global
blackhole { address_match_list }; - use the address_match_list file on
your pf.conf (freebsd)
with this combo, your bind should refuse queries when it's out-of-zone.
additional-from-auth yes;
additional-from-cache no;
goodluck,
-Beavis
On Wed, Jan 30, 2013 at 3:02 PM, rich carroll <richcarroll at gmail.com> wrote:
> Currently our ISP's bind9 server is experiencing a lot of traffic. It looks
> like we are being used to attack ip addresses. We do have our own domains
> that host as well as resolving for our customers.
>
> I have an acl for our subnets and we allow-recursion and allow-query-cache
> for those subnets. The IP's of the abusing servers are outside of our
> networks.
>
> My assumption was that if the query came from outside our networks and it
> wasn't for one of our domains then there wouldn't be a response, but this
> isn't the case.
>
> If I go outside our network and do a "dig google.com @ourDNSserver" I get:
>
> ; <<>> DiG 9.6.-ESV-R3 <<>> google.com @ns1.xxxxxxxxxxxx
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23403
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;google.com. IN A
>
> ;; AUTHORITY SECTION:
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 172800 IN NS k.gtld-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net. 172800 IN A 192.5.6.30
> a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
> b.gtld-servers.net. 172800 IN A 192.33.14.30
> b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
> c.gtld-servers.net. 172800 IN A 192.26.92.30
> d.gtld-servers.net. 172800 IN A 192.31.80.30
> e.gtld-servers.net. 172800 IN A 192.12.94.30
> f.gtld-servers.net. 172800 IN A 192.35.51.30
> g.gtld-servers.net. 172800 IN A 192.42.93.30
> h.gtld-servers.net. 172800 IN A 192.54.112.30
> i.gtld-servers.net. 172800 IN A 192.43.172.30
> j.gtld-servers.net. 172800 IN A 192.48.79.30
> k.gtld-servers.net. 172800 IN A 192.52.178.30
> l.gtld-servers.net. 172800 IN A 192.41.162.30
>
> ;; Query time: 2 msec
> ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> ;; WHEN: Wed Jan 30 14:50:32 2013
> ;; MSG SIZE rcvd: 500
>
> Is it supposed to work like this? We are getting 100-600 of these a second.
> Most are looking up isc.org. They are more then likely spoofed IP's and
> someone is using our servers to attack people.
>
> I spent some time doing google searches and mostly found that you need to
> make sure you are only doing recursive lookups for your network, but that
> hasn't solved our issue if we are still sending out responses.
>
> --
> Richard Carroll
> richcarroll at gmail.com
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Disclaimer:
http://goldmark.org/jeff/stupid-disclaimers/
More information about the bind-users
mailing list