[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind-users
Subject:    Re: strange queries in my DNS
From:       Matthew Seaman <m.seaman () infracaninophile ! co ! uk>
Date:       2011-04-25 17:10:43
Message-ID: 4DB5AB13.7040803 () infracaninophile ! co ! uk
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On 25/04/2011 13:30, Victor Hugo dos Santos wrote:
> Yes.. I already readed about DNS amplifier attack.. but in
> amplification attack, the query is about ".", but in my case, the
> queries isn't by the "root", but for "unused type" !!!!

No -- confusion of terms: '.' is the *root* of the DNS hierarchy.
Nothing to do with the unix superuser.

The RESERVED0 type of the query is certainly odd.  Mu guess is that's a
programming mistake by whoever is trying to run a DoS, as it probably
means he's not going to get any data in the responses and hence no
amplification effect.

> about the configuration, I can't apply the "allow-query" to restrict
> my DNS, because this is a authoritative server of many domains and I
> have the recursion disabled to external views.

OK -- an authoritative server should refuse to reply for a query for the
'.' zone from an arbitrary source, like so:

# dig @ns0.infracaninophile.co.uk . ANY

; <<>> DiG 9.6.2-P2 <<>> @ns0.infracaninophile.co.uk . ANY
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43458
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.				IN	ANY

;; Query time: 21 msec
;; SERVER: 81.187.76.162#53(81.187.76.162)
;; WHEN: Mon Apr 25 17:16:28 2011
;; MSG SIZE  rcvd: 17

So long as your server responds like that to external queries for the
'.' zone, whether type IN or type RESERVED0 or type whatever, then I
don't think you've got anything much to worry about.  20--30qps like
that should be trivial for any reasonable modern machine.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


["signature.asc" (application/pgp-signature)]

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic