DNS attacking
Niall O'Reilly
Niall.oReilly at ucd.ie
Wed May 25 10:06:26 UTC 2011
On 25 May 2011, at 07:47, Jeff Pang wrote:
> Some IPs were continuely attacked my DNS systems.
> Saw from the log, lots of requests from those IPs to query for the
> non-exist records in the cache.
> Is there a way to prevent this instead of just blocking IP with
> iptables? I'm running the latest BIND 9.7. thanks.
The answer depends on information you haven't included.
Which of your DNS systems: resolvers or authoritative?
Where is the source of the attack: within your (or your
customers') networks, or out on the Internet?
You may wish to consider separating your authoritative
and resolver DNS services onto different servers, and
also denying access to the resolvers except from the
appropriate "service area". This is currently considered
good practice.
On the authoritative servers, I'ld suggest you include
the following in your configuration (named.conf):
// Authoritative-only server
recursion no; // Do not provide recursive service
allow-query { any; }; // Serve entire 'Net
allow-query-cache { none; } ; // Auth-only: keep cache private
additional-from-cache no; // Do not additional data from cache
On the resolvers, we use the following; you'll need to specify
the address prefixes which match your own service area instead.
// Service area: UCD networks
allow-query {
localnets;
137.43.0.0/16;
193.1.128.0/19;
193.1.160.0/20;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
::1;
2001:770:98::/48;
};
I hope this helps.
Niall O'Reilly
University College Dublin IT Services
More information about the bind-users
mailing list