query (cache) denied (revisited)

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Jul 29 15:12:48 UTC 2009


> In message <84010000907190740j60000e04pc23316827fe0b9ef at mail.gmail.com>, Bradle
> y Caricofe writes:
[...]
> > 19-Jul-2009 10:34:29.635 client 84.235.6.53#1276: query (cache) '
> > 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
[...]
> > There are a total of 26000 ip's hitting us daily and causing these queries.
> > Of these, only a handful are sending a lot of traffic, maybe a few dozen.
> > The worst sent 37000 queries yesterday. I'm trying to determine if this is
> > reflector attack behavior or if some of these hosts were successfully using
> > our servers for DNS in the past. Our server is refusing these queries and I
> > believe the old servers did so as well.
> > 
> > Is there anything I can do to filter or otherwise reduce these hits? Again,
> > I'm sorry for rehashing an old subject, but I don't have this figured out.

On 20.07.09 10:15, Mark Andrews wrote:
> Take the addresses that are sending lots of queries and look up the
> abuse contacts in whois and send them a report asking for the traffic
> to be stopped.  If it is a misconfiguration then it should stop.
> If you are being used as a reflector you should also get feedback.
> 
> You should also look at the names in the queries and make sure you
> are not being delegated to but don't have the zone configured.

You can also be bad on them and provide fake root zone with wildcard record
returning localhost IP. However be very careful not to provide those to your
own recursive clients. I ocasionally use that on biggest abusers.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759



More information about the bind-users mailing list