high volume from outside our networks question

rich carroll richcarroll at gmail.com
Wed Jan 30 21:02:50 UTC 2013 

Currently our ISP's bind9 server is experiencing a lot of traffic. It looks
like we are being used to attack ip addresses. We do have our own domains
that host as well as resolving for our customers.

I have an acl for our subnets and we allow-recursion and allow-query-cache
for those subnets. The IP's of the abusing servers are outside of our
networks.

My assumption was that if the query came from outside our networks and it
wasn't for one of our domains then there wouldn't be a response, but this
isn't the case.

If I go outside our network and do a "dig google.com @ourDNSserver" I get:

; <<>> DiG 9.6.-ESV-R3 <<>> google.com @ns1.xxxxxxxxxxxx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23403
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com.                    IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30

;; Query time: 2 msec
;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
;; WHEN: Wed Jan 30 14:50:32 2013
;; MSG SIZE  rcvd: 500

Is it supposed to work like this? We are getting 100-600 of these a second.
Most are looking up isc.org. They are more then likely spoofed IP's and
someone is using our servers to attack people.

I spent some time doing google searches and mostly found that you need to
make sure you are only doing recursive lookups for your network, but that
hasn't solved our issue if we are still sending out responses.

-- 
Richard Carroll
richcarroll at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130130/26baab04/attachment.html>

More information about the bind-users mailing list