DNS attacking

Niall O'Reilly Niall.oReilly at ucd.ie
Wed May 25 10:06:26 UTC 2011

On 25 May 2011, at 07:47, Jeff Pang wrote:

> Some IPs were continuely attacked my DNS systems.
> Saw from the log, lots of requests from those IPs to query for the
> non-exist records in the cache.
> Is there a way to prevent this instead of just blocking IP with
> iptables? I'm running the latest BIND 9.7.  thanks.

	The answer depends on information you haven't included.

	Which of your DNS systems: resolvers or authoritative?

	Where is the source of the attack: within your (or your
	customers') networks, or out on the Internet?
	You may wish to consider separating your authoritative
	and resolver DNS services onto different servers, and
	also denying access to the resolvers except from the
	appropriate "service area".  This is currently considered
	good practice.

	On the authoritative servers, I'ld suggest you include
	the following in your configuration (named.conf):

  // Authoritative-only server
  recursion no;                         // Do not provide recursive service
  allow-query { any; };                 // Serve entire 'Net
  allow-query-cache { none; } ;         // Auth-only: keep cache private
  additional-from-cache no;             // Do not additional data from cache

	On the resolvers, we use the following; you'll need to specify
	the address prefixes which match your own service area instead.

  // Service area: UCD networks
  allow-query {

	I hope this helps.

	Niall O'Reilly
	University College Dublin IT Services

More information about the bind-users mailing list