Does anybody know how to configure Bind9 to NOT respond to "." queries?

Thanks

Presumably you're dealing with the DNS DDOS going around?

http://isc.sans.org/diary.html?storyid=5713

I've triaged the situation by blocking DNS traffic "from" those 4 IPs in iptables. I'm afraid don't know how to configure BIND 9 to not reply; I'm not using BIND 9, but I don't know how to do it on my server either!

Yeah.. That's what I'm talking about. They've got a new IP now, though.

I'm *really* surprised that nobody else is responding to this thread. You'd think people would be just a little upset about it. Or did I miss a thread somewhere else? Or am I the only one getting hammered?

Maybe I should use the Linode DNS manager instead of running my own.

One easy way is that in your options section set allow-query { none; }; (or list the addresses/networks you want to allow), and then for each zone you are master/slave for add an allow-query {any; };

eg

options {
        listen-on { 127.0.0.1; 1.2.3.4; };
        allow-recursion { 127.0.0.1; 1.2.3.4; };
        allow-query { 127.0.0.1; 1.2.3.4; };
        directory "/etc/zones";
};

zone "example,com" {
        type master;
        file "master";
        allow-query { any; };
};

(here "1.2.3.4" is my own IP address)

Now anyone asking for "." will get a REJECT packet. This isn't the same as blocking the traffic, but the response is the same size as the request so you aren't amplifying the traffic.

In addition you can use the blacklist{} option to block known bad addresses.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

Hey! Thanks for answering.. I have a stupid question, though.

If I allow-query { 127.0.0.1; 1.2.3.4; }

Wouldn't that cut off communication with the entire world? Or am I misunderstanding that option?

If no others can make queries about my domains, how would the world know where to reach me?

BTW: Those IPs have already been blocked a while ago and my load says "Idle" but it just bugs the crap out of me that they're still hitting it.

When will it stop? Is there no way to unspoof a spoofed IP?

Look at sweh's example carefully.

Look inside the "zone" configuration and spot the additional allow-query {any; }; which allows anyone to query _that zone_



No. ISPs should provide egress filtering at their borders so that spoofed IPs (not from their range) are blocked and never make it to the internet. It's irresponsible to not do that. Better would be to block down to the customer level, but the infrastructure may not be able to handle that.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Ahh... It makes total sense now Thank you.

BIND 9 of a sufficiently recent vintage (9.3 or later?) can do this in named.conf in the options stanza:

additional-from-cache no;

Seems to work. I put this in when it first became noticed, but didn't see this post until just now. Leaving a reply here to benefit anyone who might stumble across this thread in the future.