Millions of './ANY/IN' queries denied
Andrew P.
andrewemt at hotmail.com
Wed Dec 15 13:33:55 UTC 2021
So why isn't there a way to tell BIND not to respond to queries for which it clearly is not authoritative (such as these attack vectors)? Since no legitimate resolver would be asking a non-authoritative server for information, why should his (or my) public BIND server respond to these even with an error message?
________________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Ondřej Surý <ondrej at isc.org>
Sent: Wednesday, December 15, 2021 7:18 AM
To: Danilo Godec
Cc: bind-users at lists.isc.org
Subject: Re: Millions of './ANY/IN' queries denied
> Would I be doing a bad thing by using fail2ban to block these IPs?
That’s the question that only you can answer. The IP addresses are
not attacker’s but victim’s and you would be punishing those networks
by blocking access from them to your network.
Do you absolutely know that these IP addresses doesn’t need access
to your DNS? If yes, then go ahead.
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org
> On 15. 12. 2021, at 12:51, Danilo Godec via bind-users <bind-users at lists.isc.org> wrote:
>
> Hello,
>
>
> I'm noticing some unusual activity where 48 external IPs generated over
> 2M queries that have all been denied (just today):
>
> 15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
> 15-Dec-2021 00:01:42.123 security: info: client @0x7f9618019e20
> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
> 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0
> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
>
>
> I'm guessing this is some sort of an reflection attack attempt, but I
> don't quite understand if these are the perpetrators or victims?
>
> Would I be doing a bad thing by using fail2ban to block these IPs?
>
>
> Regards,
>
> Danilo
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list