Fw: How to block DNS record scans ? (more info)

Gregory Hicks ghicks at cadence.com
Mon Apr 25 23:45:01 UTC 2005


> From: "Sylvan Andrew" <sylvan_nids at norfolk.nf>
> To: <bind-users at isc.org>
> Subject: Fw: How to block DNS record scans ? (more info)
> Date: Tue, 26 Apr 2005 10:14:49 +1130
> 
> Hello,
> 
> Wow ! Thanks so much to all the people who responded and passed on some 
> great ideas.
> 
> Unfortunately we can't block by source address of the DNS request because 
> they are using legit open DNS servers to do the requests. For nearly every 
> DNS request they seem to use a different source IP. Regardless of source IP 
> the requests follow a logical alphabetical order. I estimated they are using 
> a pool of more than 20 plus DNS servers.

Sylvan:

How were you able to identify this?  What does your logging section
look like?

The reason I ask is because I am not able to see anything like this...
(Of course, it may have happened so long ago that the logs rotated
off...)

Regards,
Gregory Hicks

> 
> One suggestion from Stephan was:
> 
> > As a first step... agreed.
> > But that shouldn't be the final solutions as he will be always one step 
> > behind a possible attacker. I would strongly suggest an intelligent IDS / 
> > IPS which recognizes such attacks and blocks them dynamically
> 
> Has anybody had any successful experiences with this ?
> 
> I don't know much about Bind but it seems a shame that it hasn't got a 
> 'don't bother replying to wanker requests' switch built in.
> 
> Any other ideas or a way to achieve this are much appreciated.
> 
> Thanks
> 
> Sylvan
> 
> 
> 
> >Hello,
> 
>   >Is their  anyone who could help us it would be much appreciated. Two of
> >our DNS servers are continually getting scanned with some type of script 
> >that trys every combination possible from A-Z.
> > Rather than limit the amount of DNS requests our servers handle on a time 
> > basis is there anyone who knows a way to modify the response to a entry 
> > record not being found ?
> > Basically we'd want it so that if it was a valid entry bind would reply 
> > straight away, if it was a invalid entry we'd like rather than a immediate 
> > 'not found' response to modify it so it just times out.
> > Does anyone have and ideas where in Bind we could modify it to do this ? 
> > Does anyone have any other ideas to combat this problem ?
> 
> >Thanks for your time.
> 
> >Regards
> 
> >Sylvan
> 
> 
> 
> 
> 
> 
> 

-------------------------------------------------------------------
Gregory Hicks                        | Principal Systems Engineer
Cadence Design Systems               | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1          | Fax:      408.894.3400
San Jose, CA 95134                   | Internet: ghicks at cadence.com

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton




More information about the bind-users mailing list