loads of Query denied... is it an attack or a misconfiguration ?
Matthew Huff
mhuff at ox.com
Wed Feb 11 14:42:35 UTC 2009
I've been aware of this problem since it first came up on this and nanog's
list, but I'm having some configuration issues trying to make the upward
referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS
queries being answered in the log:
11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
external-in: query: . IN NS +
11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
external-in: query: . IN NS +
11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
external-in: query: . IN NS +
11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
external-in: query: . IN NS +
11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
external-in: query: . IN NS +
My config follows, any suggestion?
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
recursion no;
allow-transfer { xfer; };
allow-query { none; };
allow-recursion { none; };
additional-from-auth no;
additional-from-cache no;
};
view "internal-in" in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
allow-query { trusted; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "master/db.127.0.0";
allow-query {
any;
};
allow-transfer { none; };
};
zone "foo.com" in {
type master;
file "master/db.foo";
};
...
...
...
};
view "external-in" in {
match-clients { any; };
recursion no;
allow-transfer { xfer; };
allow-query { none; };
allow-recursion { none; };
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "db.cache";
};
zone "foo.com" in {
type master;
file "master/db.foo";
allow-query { any; };
};
...
...
...
};
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Matthew Huff.vcf
Type: application/octet-stream
Size: 1595 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090211/8f051766/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090211/8f051766/attachment.bin>
More information about the bind-users
mailing list