DNS Flood -- Help!

Tue Jan 8 20:22:10 UTC 2002

<ewheeler at kaico.com> wrote in message news:a1fci7$kme at pub3.rc.vix.com...
>
>
> To whoever can help:
>
> We run a DNS server of a colocated facility with 90Mb/s capable
> throughput.  We have recently been attacked by queries from the 'DNS
> Abuser' exploit written some time ago
> (http://www.securitybugware.org/mUNIXes/4198.html).
>
> Since we are DNS masters for many domains, we have to respond to DNS
> quereies from anywhere and can not limit the service to some range of
> source addresses.
>
> #1. Is there a way to make bind respond to only queries requesting
> information about the zones which it is authoritative for, dropping the
> rest?

options {
        allow-query { none; };
        recursion no;
};

in each zone you are authoritive for:

zone "example.com" in {
        allow-query { any; };
};

>
> #2. To make the problem more complicated, there are also hosts which use
> our server as their primary dns.  This being said, I need to explicitly
> allow a set of source addresses to querey the server in any way they
> choose, while conforming to #1 for all other queries.

I would recommend a seperate server for this, but this should do the trick
as long as the IPs of your clients aren't spoofed.

acl clients { 1.2.3.4; 2.3.4.5; 3.4.5/24; 127.0.0.1; };

options {
        allow-query { clients; };
        recursion yes;
        allow-recursion { clients; };
 };

zone "example.com" in {
        allow-query { any; };
};

>
> If #2 is not possible, a fix for #1 is imperative.  I have to keep
> dropping these floods as they come about based on their source address
> (which are spoofed, as best I can tell) -- Under flooding circumstances,
> the server pushes at 4.5Mbit/s; we have a 45GB quota per month.  Under a
> flood, we will use the entire quota in about 30 hours.
>
>
> Any input would be much appreciated.
> Thank you.
>
> --
>
> Eric Wheeler
> Network Administrator
> KAICO
> 20417 SW 70th Ave.
> Tualatin, OR 97062
> www.kaico.com
> Voice: 503.692.5268
>
>
>
>
>