high volume from outside our networks question

rich carroll richcarroll at gmail.com
Thu Jan 31 18:05:29 UTC 2013 

Currently the box is running packet filter on freebsd.

I added:

antispoof log quick for em0 inet

but that did not trigger on any of the requests.

I am going to mess with views some time today, but if that doesn't stop
responses to requests from the outside, other then our domains, we will
move our domains back our registrar and let them do the publishing and only
use our dns servers for caching/recursing for our internal people and block
it from the outside.






On Thu, Jan 31, 2013 at 12:41 AM, Dmitri Tarkhov <tarkhov at dionaholding.ru>wrote:

> One very simple question - do you filter spoofed IPs
> at your firewalls?
> And, BTW, a lot of other must be stuff, like ports 135-139 ...
> (but that's another story)
>
> Personally I reject spoofed IPs even without logging.
>
>
>  They are more then likely spoofed IP's and
>> someone is using our servers to attack people.
>>
>
> rich carroll wrote:
>
>   acl "trusted" {
>>      xxx.xxx.xxx.0/20;
>>      xxx.xxx.xxx.0/23;
>>      xxx.xxx.xxx.0/22;
>>      xx.xxx.xxx.0/23;
>>      xx.xxx.xxx.0/23;
>>      xx.xxx.xxx.0/23;
>>      x.xx.xxx.0/21;
>>      x.xx.xx.0/24;
>>      xxx.xxx.xxx.0/24;
>>      localhost;
>>      localnets;
>>  };
>>
>> options {
>>     // Relative to the chroot directory, if any
>>     directory    "/etc/namedb";
>>     pid-file    "/var/run/named/pid";
>>     dump-file    "/var/dump/named_dump.db";
>>     statistics-file    "/var/stats/named.stats";
>>     allow-recursion { "trusted"; };
>>     allow-query    { any; };
>>     allow-query-cache { "trusted"; };
>>
>> Its standard conf with the default stuff in it as well as a 24 zones or so
>> in it.
>>
>>
>>
>> On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr <sjcarr at gmail.com> wrote:
>>
>>
>>  So the response you received wasn't recursed ";; WARNING: recursion
>>> requested but not available", so at least that ACL is holding up, but
>>> it could be that the response you got is still being served from your
>>> DNS server's cache. Can you share the exact configuration statements
>>> you have implemented for allow-recursion and allow-query-cache and are
>>> these options in the view stanza or in the global options?
>>>
>>> Best practice is that authoritative and recursive DNS servers should
>>> be completely separate.
>>>
>>> Steve
>>>
>>>
>>
>>
>>
>>
>> ------------------------------**------------------------------**
>> ------------
>>
>>
>> ______________________________**_________________
>> Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>>
>
> --
> Best regards,
> Dmitri Tarkhov
>
>
> ______________________________**_________________
> Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>



-- 
Richard Carroll
richcarroll at gmail.com
785-288-1144
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130131/d53c2bd6/attachment.html>

More information about the bind-users mailing list