[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: strange queries in my DNS
From: Matthew Seaman <m.seaman () infracaninophile ! co ! uk>
Date: 2011-04-25 17:10:43
Message-ID: 4DB5AB13.7040803 () infracaninophile ! co ! uk
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 25/04/2011 13:30, Victor Hugo dos Santos wrote:
> Yes.. I already readed about DNS amplifier attack.. but in
> amplification attack, the query is about ".", but in my case, the
> queries isn't by the "root", but for "unused type" !!!!
No -- confusion of terms: '.' is the *root* of the DNS hierarchy.
Nothing to do with the unix superuser.
The RESERVED0 type of the query is certainly odd. Mu guess is that's a
programming mistake by whoever is trying to run a DoS, as it probably
means he's not going to get any data in the responses and hence no
amplification effect.
> about the configuration, I can't apply the "allow-query" to restrict
> my DNS, because this is a authoritative server of many domains and I
> have the recursion disabled to external views.
OK -- an authoritative server should refuse to reply for a query for the
'.' zone from an arbitrary source, like so:
# dig @ns0.infracaninophile.co.uk . ANY
; <<>> DiG 9.6.2-P2 <<>> @ns0.infracaninophile.co.uk . ANY
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43458
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;. IN ANY
;; Query time: 21 msec
;; SERVER: 81.187.76.162#53(81.187.76.162)
;; WHEN: Mon Apr 25 17:16:28 2011
;; MSG SIZE rcvd: 17
So long as your server responds like that to external queries for the
'.' zone, whether type IN or type RESERVED0 or type whatever, then I
don't think you've got anything much to worry about. 20--30qps like
that should be trivial for any reasonable modern machine.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
["signature.asc" (application/pgp-signature)]
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic