Bind stats - denied queries?
Reindl Harald
h.reindl at thelounge.net
Mon Nov 30 15:40:47 UTC 2020
Am 30.11.20 um 11:12 schrieb Marc Roos:
> Are newer version of bind still logging like this
>
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
> 3.9.41.0/24
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
> 35.177.154.0/24
> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to
> 35.177.154.0/24
> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to
> 3.9.41.0/24
>
> I already reported, that it is not to smart to log 3.9.41.0/24, better
> could be logged 3.9.41.100/24 so you know the offending ip
there is nothing like an "offending ip" in case of dns-amplification
which is usually what happens in context of RRL
it's the forged destination of the attack you see and nothing else
More information about the bind-users
mailing list