Millions of './ANY/IN' queries denied

Ondřej Surý ondrej at isc.org
Wed Dec 15 13:44:15 UTC 2021 

Not responding would make the client susceptible to spoofing,
and named have no way of deciding whether the other side
is legitimate or not.  The out-of-configure-zone question could
come from misconfiguration somewhere and not be malicious
at all.

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

> On 15. 12. 2021, at 14:33, Andrew P. <andrewemt at hotmail.com> wrote:
> 
> So why isn't there a way to tell BIND not to respond to queries for which it clearly is not authoritative (such as these attack vectors)? Since no legitimate resolver would be asking a non-authoritative server for information, why should his (or my) public BIND server respond to these even with an error message?
> 
> 
> 
> ________________________________________
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Ondřej Surý <ondrej at isc.org>
> Sent: Wednesday, December 15, 2021 7:18 AM
> To: Danilo Godec
> Cc: bind-users at lists.isc.org
> Subject: Re: Millions of './ANY/IN' queries denied
> 
>> Would I be doing a bad thing by using fail2ban to block these IPs?
> 
> That’s the question that only you can answer.  The IP addresses are
> not attacker’s but victim’s and you would be punishing those networks
> by blocking access from them to your network.
> 
> Do you absolutely know that these IP addresses doesn’t need access
> to your DNS?  If yes, then go ahead.
> 
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
> 
>> On 15. 12. 2021, at 12:51, Danilo Godec via bind-users <bind-users at lists.isc.org> wrote:
>> 
>> Hello,
>> 
>> 
>> I'm noticing some unusual activity where 48 external IPs generated over
>> 2M queries that have all been denied (just today):
>> 
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20
>> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.123 security: info: client @0x7f9618019e20
>> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
>> 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0
>> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
>> 
>> 
>> I'm guessing this is some sort of an reflection attack attempt, but I
>> don't quite understand if these are the perpetrators or victims?
>> 
>> Would I be doing a bad thing by using fail2ban to block these IPs?
>> 
>> 
>>    Regards,
>> 
>>     Danilo
>> 
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list