BIND recursive - DNS Nonsense Name Attacks
Blake Hudson
blake at ispn.net
Fri May 29 14:06:09 UTC 2015
I've seen similar queries. Problem was traced to an open resolver at the
client end (actually many open resolvers). Patched firmware resolves the
issue with the client. Bind moving to a soft limit on the number of
recursive clients a few years back seemed to mitigate any service impact
these queries had.
--Blake
Neil wrote on 5/28/2015 6:08 PM:
> Hi Bind users,
>
> Just wondering if anyone else has seen the DNS nonsense name attacks on
> their recursives?
> Any way to mitigate such attacks?
>
> Currently running version 9.10, I already ACL's and have RPZ deployed but
> this is a "reactive" solution. I read that
> fetches-per-server and fetches-per-zone have been deployed to subscription
> releases, any time line for
> code to be released in the public version? Anything else I can do?
>
> Some tcpdump logs
> 17:35:26.520596 IP 211.27.99.62.1028 > 210.50.44.4.53: 17436+ A?
> nbpdrsthvwxlm.wwwww.jiajiaxhhq.com. (52)
> 17:35:26.572225 IP 211.27.99.62.1028 > 210.50.44.4.53: 17437+ A?
> gcjycliyggj.wwwww.jiajiaxhhq.com. (50)
> 17:35:26.604453 IP 211.27.99.62.1028 > 210.50.44.4.53: 17438+ A?
> zvltevrzkmfhtcq.wwwww.jiajiaxhhq.com. (54)
> 17:35:26.605662 IP 211.27.99.62.1028 > 210.50.44.4.53: 17439+ A?
> xcfpgnlbbwvwoyk.wwwww.jiajiaxhhq.com. (54)
> 17:35:26.637777 IP 211.27.99.62.1028 > 210.50.44.4.53: 17440+ A?
> ttqikqwpcvk.wwwww.jiajiaxhhq.com. (50)
> 17:35:26.704413 IP 211.27.99.62.1028 > 210.50.44.4.53: 17441+ A?
> abcqrsghijxlz.wwwww.jiajiaxhhq.com. (52)
> 17:35:26.704950 IP 211.27.99.62.1028 > 210.50.44.4.53: 17442+ A?
> aopdefthijklm.wwwww.jiajiaxhhq.com. (52)
> 17:35:26.715783 IP 211.27.98.70.1029 > 210.50.44.4.53: 63183+ A?
> eqw.wwwww.jiajiaxhhq.com. (42)
> 17:35:26.760114 IP 210.50.8.23.41508 > 210.50.44.4.53: 56630+ A?
> yjmtmpqxwbuh.wwwww.jiajiaxhhq.com. (51)
> 17:35:26.762262 IP 210.50.8.23.41508 > 210.50.44.4.53: 54127+ A?
> abelutejkzcl.wwwww.jiajiaxhhq.com. (51)
> 17:35:26.835637 IP 211.27.99.62.1028 > 210.50.44.4.53: 17443+ A?
> nbcqrsthvwxym.wwwww.jiajiaxhhq.com. (52)
>
> Thanks
> Neil
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list