Millions of './ANY/IN' queries denied
Ondřej Surý
ondrej at isc.org
Wed Dec 15 13:44:15 UTC 2021
Not responding would make the client susceptible to spoofing,
and named have no way of deciding whether the other side
is legitimate or not. The out-of-configure-zone question could
come from misconfiguration somewhere and not be malicious
at all.
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org
> On 15. 12. 2021, at 14:33, Andrew P. <andrewemt at hotmail.com> wrote:
>
> So why isn't there a way to tell BIND not to respond to queries for which it clearly is not authoritative (such as these attack vectors)? Since no legitimate resolver would be asking a non-authoritative server for information, why should his (or my) public BIND server respond to these even with an error message?
>
>
>
> ________________________________________
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Ondřej Surý <ondrej at isc.org>
> Sent: Wednesday, December 15, 2021 7:18 AM
> To: Danilo Godec
> Cc: bind-users at lists.isc.org
> Subject: Re: Millions of './ANY/IN' queries denied
>
>> Would I be doing a bad thing by using fail2ban to block these IPs?
>
> That’s the question that only you can answer. The IP addresses are
> not attacker’s but victim’s and you would be punishing those networks
> by blocking access from them to your network.
>
> Do you absolutely know that these IP addresses doesn’t need access
> to your DNS? If yes, then go ahead.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
>> On 15. 12. 2021, at 12:51, Danilo Godec via bind-users <bind-users at lists.isc.org> wrote:
>>
>> Hello,
>>
>>
>> I'm noticing some unusual activity where 48 external IPs generated over
>> 2M queries that have all been denied (just today):
>>
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.123 security: info: client @0x7f9618019e20
>> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0
>> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
>>
>>
>> I'm guessing this is some sort of an reflection attack attempt, but I
>> don't quite understand if these are the perpetrators or victims?
>>
>> Would I be doing a bad thing by using fail2ban to block these IPs?
>>
>>
>> Regards,
>>
>> Danilo
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list