Preventing the 'other' type of zone transfer
Brad Knowles
brad at stop.mail-abuse.org
Sat May 14 01:29:09 UTC 2005
At 12:04 PM -0400 2005-05-13, Stafford, Paige L. wrote:
> I'm looking for a clever way of stopping this. And if we
> can't, we want to at least slow it down. Creating dummy
> records for the unused IP addresses has not been effective.
Turn on query logging. Create a script to monitor your query
logs, and any IP address that generates too many "undesirable"
queries in a given period of time should be cut off at your firewall.
You can run firewall software on the machine itself and do this
locally, or you can do it at the network ingress point, or wherever
you like.
Or, run an IDS (e.g., "snort"), perhaps on a separate machine
which is connected to a "mirror port" on the switch, or connected to
the same hub as the nameserver, and have it looking exclusively at
DNS traffic. Configure it so that if it sees any undesirable DNS
traffic patterns that it will cause the respective IP addresses to be
cut off at the firewall.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list