Fw: How to block NULL resource record queries

[Mark Andrews]

In message <884668413.7944885.1433736237106.JavaMail.yahoo at mail.yahoo.com>, Kashif Mumtaz writes:
>
>  Hi,We recently faced an issue that we were receiving bulk number of  
> queries on our DNS server from customer for some fake domain whose RR
> type was NULL.This type of queries are we are seeing first time whose RR
> type is NULL.

Then your customers have broken hardware (CPE Router) that accepts
and forward DNS queries from the Internet to you or they have
otherwise been compromised.

Call them and tell them that they need fix / replace / secure their
systems.  If it turns out the be the CPE Router (highly likely) and
it needs to be replaced recommend one that supports IPv6 if you are
not already doing so.

You should be able to see the queries going to their router and the
subsequent query to your servers if you do packet traces.

Fixing the cause is much better than just dealing with the symtoms
and has better long term benefits.  The criminals using your customers
systems as forwarders will just adjust the types of queries they
are making so you will be fighting a loosing war if you don't tackle
the root cause.

> We have some iptables scripts on server which can block or rate limit
> quires like A , ANY etc. Â But these script does not recognize RR type
> NULL.

NULL is just type code 10.

> For quick remedy we configure the zone locally and pointed it to
> 127.0.0.1 so our recrusive queque for these domains are not accumulating
> now.
> But we can recieve bulk NULL queries for some valid domains like
> yahoo.com etc which we can not configure locally. Then how can we block
> these NULL type queries ? 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org