high volume from outside our networks question
Dmitri Tarkhov
tarkhov at dionaholding.ru
Thu Jan 31 06:41:12 UTC 2013
One very simple question - do you filter spoofed IPs
at your firewalls?
And, BTW, a lot of other must be stuff, like ports 135-139 ...
(but that's another story)
Personally I reject spoofed IPs even without logging.
> They are more then likely spoofed IP's and
> someone is using our servers to attack people.
rich carroll wrote:
> acl "trusted" {
> xxx.xxx.xxx.0/20;
> xxx.xxx.xxx.0/23;
> xxx.xxx.xxx.0/22;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> x.xx.xxx.0/21;
> x.xx.xx.0/24;
> xxx.xxx.xxx.0/24;
> localhost;
> localnets;
> };
>
> options {
> // Relative to the chroot directory, if any
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> allow-recursion { "trusted"; };
> allow-query { any; };
> allow-query-cache { "trusted"; };
>
> Its standard conf with the default stuff in it as well as a 24 zones or so
> in it.
>
>
>
> On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr <sjcarr at gmail.com> wrote:
>
>
>>So the response you received wasn't recursed ";; WARNING: recursion
>>requested but not available", so at least that ACL is holding up, but
>>it could be that the response you got is still being served from your
>>DNS server's cache. Can you share the exact configuration statements
>>you have implemented for allow-recursion and allow-query-cache and are
>>these options in the view stanza or in the global options?
>>
>>Best practice is that authoritative and recursive DNS servers should
>>be completely separate.
>>
>>Steve
>>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards,
Dmitri Tarkhov
More information about the bind-users
mailing list