BIND recursive - DNS Nonsense Name Attacks

Blake Hudson blake at ispn.net
Fri May 29 14:06:09 UTC 2015 

I've seen similar queries. Problem was traced to an open resolver at the 
client end (actually many open resolvers). Patched firmware resolves the 
issue with the client. Bind moving to a soft limit on the number of 
recursive clients a few years back seemed to mitigate any service impact 
these queries had.

--Blake

Neil wrote on 5/28/2015 6:08 PM:
> Hi Bind users,
>
> Just wondering if anyone else has seen the DNS nonsense name attacks on
> their recursives?
> Any way to mitigate such attacks?
>
> Currently running version 9.10, I already ACL's and have RPZ deployed but
> this is a "reactive" solution.  I read that
> fetches-per-server and fetches-per-zone have been deployed to subscription
> releases, any time line for
> code to be released in the public  version? Anything else I can do?
>
> Some tcpdump  logs
> 17:35:26.520596 IP 211.27.99.62.1028 > 210.50.44.4.53: 17436+ A?
> nbpdrsthvwxlm.wwwww.jiajiaxhhq.com. (52)
> 17:35:26.572225 IP 211.27.99.62.1028 > 210.50.44.4.53: 17437+ A?
> gcjycliyggj.wwwww.jiajiaxhhq.com. (50)
> 17:35:26.604453 IP 211.27.99.62.1028 > 210.50.44.4.53: 17438+ A?
> zvltevrzkmfhtcq.wwwww.jiajiaxhhq.com. (54)
> 17:35:26.605662 IP 211.27.99.62.1028 > 210.50.44.4.53: 17439+ A?
> xcfpgnlbbwvwoyk.wwwww.jiajiaxhhq.com. (54)
> 17:35:26.637777 IP 211.27.99.62.1028 > 210.50.44.4.53: 17440+ A?
> ttqikqwpcvk.wwwww.jiajiaxhhq.com. (50)
> 17:35:26.704413 IP 211.27.99.62.1028 > 210.50.44.4.53: 17441+ A?
> abcqrsghijxlz.wwwww.jiajiaxhhq.com. (52)
> 17:35:26.704950 IP 211.27.99.62.1028 > 210.50.44.4.53: 17442+ A?
> aopdefthijklm.wwwww.jiajiaxhhq.com. (52)
> 17:35:26.715783 IP 211.27.98.70.1029 > 210.50.44.4.53: 63183+ A?
> eqw.wwwww.jiajiaxhhq.com. (42)
> 17:35:26.760114 IP 210.50.8.23.41508 > 210.50.44.4.53: 56630+ A?
> yjmtmpqxwbuh.wwwww.jiajiaxhhq.com. (51)
> 17:35:26.762262 IP 210.50.8.23.41508 > 210.50.44.4.53: 54127+ A?
> abelutejkzcl.wwwww.jiajiaxhhq.com. (51)
> 17:35:26.835637 IP 211.27.99.62.1028 > 210.50.44.4.53: 17443+ A?
> nbcqrsthvwxym.wwwww.jiajiaxhhq.com. (52)
>
> Thanks
> Neil
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list