Script-kiddie / client <IP> query (cache) '<host>/MX/IN' denied

Denis BUCHER dbucherml at hsolutions.ch
Tue Aug 3 19:09:41 UTC 2010


Le 03.08.2010 18:28, wllarso a écrit :
>> This seems to be due to a script-kiddie.
>> I would like to know if I can block hosts doing that at the level of
>> /etc/hosts.allow or should I do it at the level of Bind itself ?
>> And sorry if this is not 100% on topic, I know it's at the border
>> between BIND and OS...
>
> On topic question.  Don't worry.
>
> You could always use the "blackhole" directive in the BIND configuration
> to avoid responding to this address.

Do you think it is better or equal to the firewall solution ?

 > This will prevent your server from
> responding to queries from this address.  See the BIND ARM for more info
> about how to use this.  The problem is that this solution would prevent a
> DNS server at this address from querying your server for legitimate
> purposes.  (Quickly, this address doesn't appear to be running a DNS server
> at the moment.)

Yes ;-)

> Then again, if you are running a firewall on your server (or in front of
> it), you could always block traffic from this address as an alternative
> too.  This way your DNS server would never even see these queries to have
> to block.

Yes, that's what I did for the moment...

> But as a more complete solution, is this an authoritative server for some
> zone(s) that you are responsible for, or is this a recursive server for
> your customers?

It is a authoritative server for some domains, yes...

> If it is an authoritative server, then you should have it
> configured to not answer recursive queries for everyone in the world.

Yes that would be interesting, does it means that only authoritative 
zones would be allowed in queries ? In fact it seems it does not answer 
any query, as in the logs it says "denied". Am I right on this point or 
not ?

> If
> it is a recursive server, then you should be limiting who can query it and
> not respond to non-authorized queries.  You can use the BIND "view" to
> limit who is getting what from your server.
>
> Your logs indicate this this query was denied, so you may already have
> your server configured to not answer these queries from this address, so
> the last paragraph may not apply.

Ok

> But, it is worth looking at your
> configuration just to confirm your server is "reasonably" configured.

Ok I will check for that...

Thanks a lot for your advices, it makes things a little clearer for me 
now :-)

Denis



More information about the bind-users mailing list