Bind stats - denied queries?

Lyle Giese lyle at lcrcomputer.net
Mon Nov 30 14:53:27 UTC 2020 

Be careful 'rejecting' these outright.  These queries are UDP 
traffic(not TCP) and the source address is easily forged.  RRL is the 
correct way to limit these.

Lyle Giese

LCR Computer Services, Inc.

On 11/30/20 4:12 AM, Marc Roos wrote:
>   
>
> Are newer version of bind still logging like this
>
>
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit  responses to
> 3.9.41.0/24
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit  responses to
> 35.177.154.0/24
> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit  responses to
> 35.177.154.0/24
> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit  responses to
> 3.9.41.0/24
>
> I already reported, that it is not to smart to log 3.9.41.0/24, better
> could be logged 3.9.41.100/24 so you know the offending ip.
>
>
>
>
> -----Original Message-----
> From: Karl Pielorz [mailto:kpielorz_lst at tdx.co.uk]
> Sent: Monday, November 30, 2020 11:08 AM
> To: bind-users at lists.isc.org
> Subject: Bind stats - denied queries?
>
>
> Hi,
>
> We've been seeing a huge increase in 'denied queries' against a couple
> of Bind servers we look after (Bind 9.16.9) - these are currently logged
> as:
>
> "
> Nov 30 00:00:00 client @0xXXXXX X.X.X.X#48536 (.): query (cache)
> './ANY/IN'
> denied
> "
>
> This appears like it might be someone trying (unsuccessfully) to use us
> as an amplifier / reflector.
>
> We've got Bind's statistics file setup - but I can't see there's any
> entry for these "denied" queries? - As we'd really like to monitor this.
>
> If anyone knows what stat these turn up in the statistics file (if at
> all?)
>
> Thanks,
>
> -Karl
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list