Bind stats - denied queries?
Marc Roos
M.Roos at f1-outsourcing.eu
Mon Nov 30 17:23:10 UTC 2020
Regardless if the source is spoofed or not, one should log it.
Especially with this amazon abuse cloud, how can you report abuse, they
want to have an ip address to be able to investigate if something
originated from their network.
If you log 0/24 you might as well log no range at all.
Am 30.11.20 um 11:12 schrieb Marc Roos:
> Are newer version of bind still logging like this
>
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
> 3.9.41.0/24
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
> 35.177.154.0/24
> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to
> 35.177.154.0/24
> Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to
> 3.9.41.0/24
>
> I already reported, that it is not to smart to log 3.9.41.0/24, better
> could be logged 3.9.41.100/24 so you know the offending ip
there is nothing like an "offending ip" in case of dns-amplification
which is usually what happens in context of RRL
it's the forged destination of the attack you see and nothing else
More information about the bind-users
mailing list