How does query denial actually work?
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Dec 23 17:44:55 UTC 2020
On 17.12.20 14:35, Andrew P. wrote:
>I was curious about one of the features in BIND. Per the Best Practices,
> my on-site primary nameserver for my public domains (the secondaries being
> with a large public DNS provider) is configured to only allow queries from
> within my LAN and transfers in the LAN and to the designated servers at
> the DNS provider, and the zones don't actually list the primary in NS
> records (only in the SOA record). So I'm seeing large numbers of bursts
> of denied errors like this:
>client @0x6e702710 220.127.116.11#21509 (.): query (cache) './ANY/IN' denied
>I'll get maybe 20 in a row in under 2 seconds from one IP address, then a time gap, then a similar burst supposedly from a different IP address.
>So, my questions are:
>1. Are these attacks?
yes, and they are very common on the internet.
>2. Does BIND actually send a reject message back, or is it silent in such
> denial cases (as in, not still attacking with smaller packets the victim
> of a DNS amplication attack)?
usually, yes. Those responses are small (I measured 74B now) and you can
limit there using responses-per-second or errors-per-second.
if you don't provide any servce (domain) to a public, you can filter DNS
requests from the internet.
>I can't figure it out from reading the source code; I haven't so far been
> able to trace back from where the messages are logged to where (if any) a
> response packet would be transmitted.
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
More information about the bind-users