Millions of './ANY/IN' queries denied
John Kristoff
jtk at dataplane.org
Wed Dec 15 14:01:39 UTC 2021
On Wed, 15 Dec 2021 12:51:19 +0100
Danilo Godec via bind-users <bind-users at lists.isc.org> wrote:
[...]
> 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0
> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
This can be common noise you'll see if any external source can get
queries to your server. It looks like you are denying the queries,
which are probably rd=1 queries. That is good. If your server is
auth-only, then it is probably easiest and least harmful. These are
most likely clients looking for open resolvers. For example, the
address below has shown up in the signals data doing just that since at
least early November with a project associated with the domain of my
email.
> I'm guessing this is some sort of an reflection attack attempt, but I
> don't quite understand if these are the perpetrators or victims?
If you're refusing the queries, most likely they are Internet surveyors
and scanners. Some of that may be for reasonable cataloging and
alerting services, other times it is by miscreants looking for servers
to use for reflection attacks.
> Would I be doing a bad thing by using fail2ban to block these IPs?
This might be dangerous. If someone spoofs a well formed UDP query
that does what the above does and you block it, what if the spoofed
source is something you don't want blocked? This doesn't happen often,
but I've seen it happen and people have gotten badly burned by it.
John
More information about the bind-users
mailing list