How to block DNS record scans ?

Charles Cala charles_cala at yahoo.com
Wed Apr 20 06:59:57 UTC 2005


--- Sylvan Andrew <sylvan_nids at norfolk.nf> wrote:
> 
>  Hello,
> 
>   Is their  anyone who could help us it would be much appreciated. Two of 
> our DNS servers are continually getting scanned with some type of script 
> that trys every combination possible from A-Z.

A few questions…

Is this an authoritative server for a zone
Is this just one zone in question, or all of *.nf.
Is this clogging up the pipe to the island (for everybody) 
(I am assuming that your still running around 25 megs/second 
total bandwidth for the island)
Is this traffic coming from one ip or a range?
Are there other scans/probes from this ‘person’
Is this related to the online gambling servers on the island?
Have you asked this persons ISP to stop it?

Probably the best defense is to modify the ACL of the 
router BEFORE the traffic goes onto the cable/sat going 
to your island.

If traffic load is not a concern than you can modify the 
incoming router acl, or you can modify the allow queries line in bind.

If your feeling vindictive you can block the ip range of that isp,
Or if your sure that the queries are coming from an end user, you
can add a wild card record that lists

IN NS uratwit.example.com.
IN NS uratwit.example.net.
IN NS uratwit.example.org.
IN NS 1.0.0.127.in-addr.arpa.

And anything else you feel is proper.

Feel free to give us/me the source ip of your problems, and we
will see what can be done.



More information about the bind-users mailing list