Preventing a particular type of nameserver abuse

Julien Salort listes at
Tue Apr 13 09:31:31 UTC 2021

Le 13/04/2021 à 07:12, Ondřej Surý a écrit :

> BIND 9.11 has minimal-any option that’s helpful to reduce the attack 
> impact: 
> <>
> RRL should also help to limit the responses: 
> <>
> Usually the source IP is spoofed, so blocking it might be causing 
> collateral damage in case the target of the attack is a resolver, but 
> again in general case fail2ban that parses named log files might be a 
> good option to add a temporary ban on the ip. Just bear in mind you 
> are not blocking the attacker, but the victim.

I also have a lot of these (sl) queries in my logs.

Would it not be possible to have an option to tell bind to refrain from 
answering to all unauthorized queries over UDP?

Is there really a usefulness to reply with code 5, instead of silently 
ignoring the request?

A built-in option would be much easier than to require every server to 
have a dedicated fancy firewall rule.

But I have no idea how much work it would be to add this feature in bind.



More information about the bind-users mailing list