BIND recursive - DNS Nonsense Name Attacks

Neil neil20 at iprimus.com.au
Thu May 28 23:08:04 UTC 2015


Hi Bind users,

Just wondering if anyone else has seen the DNS nonsense name attacks on
their recursives?
Any way to mitigate such attacks?

Currently running version 9.10, I already ACL's and have RPZ deployed but
this is a "reactive" solution.  I read that
fetches-per-server and fetches-per-zone have been deployed to subscription
releases, any time line for
code to be released in the public  version? Anything else I can do?

Some tcpdump  logs
17:35:26.520596 IP 211.27.99.62.1028 > 210.50.44.4.53: 17436+ A?
nbpdrsthvwxlm.wwwww.jiajiaxhhq.com. (52)
17:35:26.572225 IP 211.27.99.62.1028 > 210.50.44.4.53: 17437+ A?
gcjycliyggj.wwwww.jiajiaxhhq.com. (50)
17:35:26.604453 IP 211.27.99.62.1028 > 210.50.44.4.53: 17438+ A?
zvltevrzkmfhtcq.wwwww.jiajiaxhhq.com. (54)
17:35:26.605662 IP 211.27.99.62.1028 > 210.50.44.4.53: 17439+ A?
xcfpgnlbbwvwoyk.wwwww.jiajiaxhhq.com. (54)
17:35:26.637777 IP 211.27.99.62.1028 > 210.50.44.4.53: 17440+ A?
ttqikqwpcvk.wwwww.jiajiaxhhq.com. (50)
17:35:26.704413 IP 211.27.99.62.1028 > 210.50.44.4.53: 17441+ A?
abcqrsghijxlz.wwwww.jiajiaxhhq.com. (52)
17:35:26.704950 IP 211.27.99.62.1028 > 210.50.44.4.53: 17442+ A?
aopdefthijklm.wwwww.jiajiaxhhq.com. (52)
17:35:26.715783 IP 211.27.98.70.1029 > 210.50.44.4.53: 63183+ A?
eqw.wwwww.jiajiaxhhq.com. (42)
17:35:26.760114 IP 210.50.8.23.41508 > 210.50.44.4.53: 56630+ A?
yjmtmpqxwbuh.wwwww.jiajiaxhhq.com. (51)
17:35:26.762262 IP 210.50.8.23.41508 > 210.50.44.4.53: 54127+ A?
abelutejkzcl.wwwww.jiajiaxhhq.com. (51)
17:35:26.835637 IP 211.27.99.62.1028 > 210.50.44.4.53: 17443+ A?
nbcqrsthvwxym.wwwww.jiajiaxhhq.com. (52)

Thanks
Neil




More information about the bind-users mailing list