Preventing a particular type of nameserver abuse
Julien Salort
listes at salort.eu
Tue Apr 13 09:31:31 UTC 2021
Le 13/04/2021 à 07:12, Ondřej Surý a écrit :
> BIND 9.11 has minimal-any option that’s helpful to reduce the attack
> impact: https://www.isc.org/blogs/bind-release-911/
> <https://www.isc.org/blogs/bind-release-911/>
>
> RRL should also help to limit the responses:
> https://kb.isc.org/docs/aa-01000 <https://kb.isc.org/docs/aa-01000>
>
> Usually the source IP is spoofed, so blocking it might be causing
> collateral damage in case the target of the attack is a resolver, but
> again in general case fail2ban that parses named log files might be a
> good option to add a temporary ban on the ip. Just bear in mind you
> are not blocking the attacker, but the victim.
I also have a lot of these (sl) queries in my logs.
Would it not be possible to have an option to tell bind to refrain from
answering to all unauthorized queries over UDP?
Is there really a usefulness to reply with code 5, instead of silently
ignoring the request?
A built-in option would be much easier than to require every server to
have a dedicated fancy firewall rule.
But I have no idea how much work it would be to add this feature in bind.
Cheers,
Julien
More information about the bind-users
mailing list