Preventing a particular type of nameserver abuse
Julien Salort
listes at salort.eu
Tue Apr 13 20:32:48 UTC 2021
Le 13/04/2021 à 00:55, Richard T.A. Neal a écrit :
> That's exactly what I do - I have some code that's watching for a frequent occurrence of these sorts of queries and then adds a firewall rule for a predetermined amount of time to simply drop the incoming packets at the firewall - this prevents them from reaching BIND in the first place and thus consuming system resource on the BIND server. And I say "predetermined amount of time" because that rule is then removed after a period of time in case the abuse was "unintentional" (ahem), or in case it came from a system using a non-static IP (i.e. a different user may be using that IP now, so I don't want to block them).
Do you block specifically the dns queries in the firewall, or straight
out block the IP?
Reading this thread, I considered simply enabling the fail2ban
named-refused jail, but they advise against it because it would end up
blocking the victim rather than the attacker.
I understand that always ignoring these request may be bad if it causes
some timeout somewhere (though I still do not quite fully understand
what legitimate requests those may be for a server which only does
authoritative answers). Couldn't bind then have a built-in option to
ignore repeated attempts from a given host, and cap the number of error
codes sent to a given host per day?
Julien
More information about the bind-users
mailing list