sweh wrote:
Look inside the "zone" configuration and spot the additional allow-query {any; }; which allows anyone to query _that zone_
Ahh... It makes total sense now
Thank you.
| Linode Forum https://forum.linode.com/ |
|
| Bind 9 and "." queries? https://forum.linode.com/viewtopic.php?f=19&t=3835 |
Page 1 of 1 |
| Author: | A32 [ Tue Jan 20, 2009 1:32 am ] |
| Post subject: | Bind 9 and "." queries? |
Does anybody know how to configure Bind9 to NOT respond to "." queries? Thanks |
|
| Author: | Xan [ Tue Jan 20, 2009 2:56 am ] |
| Post subject: | |
Presumably you're dealing with the DNS DDOS going around? http://isc.sans.org/diary.html?storyid=5713 I've triaged the situation by blocking DNS traffic "from" those 4 IPs in iptables. I'm afraid don't know how to configure BIND 9 to not reply; I'm not using BIND 9, but I don't know how to do it on my server either! |
|
| Author: | A32 [ Tue Jan 20, 2009 7:29 pm ] |
| Post subject: | |
Yeah.. That's what I'm talking about. They've got a new IP now, though. I'm *really* surprised that nobody else is responding to this thread. You'd think people would be just a little upset about it. Or did I miss a thread somewhere else? Or am I the only one getting hammered? Maybe I should use the Linode DNS manager instead of running my own. |
|
| Author: | sweh [ Tue Jan 20, 2009 11:50 pm ] |
| Post subject: | |
One easy way is that in your options section set allow-query { none; }; (or list the addresses/networks you want to allow), and then for each zone you are master/slave for add an allow-query {any; }; eg Code: options {
(here "1.2.3.4" is my own IP address) Now anyone asking for "." will get a REJECT packet. This isn't the same as blocking the traffic, but the response is the same size as the request so you aren't amplifying the traffic. In addition you can use the blacklist{} option to block known bad addresses. |
|
| Author: | A32 [ Wed Jan 21, 2009 12:55 am ] |
| Post subject: | |
Hey! Thanks for answering.. I have a stupid question, though. If I allow-query { 127.0.0.1; 1.2.3.4; } Wouldn't that cut off communication with the entire world? Or am I misunderstanding that option? If no others can make queries about my domains, how would the world know where to reach me? BTW: Those IPs have already been blocked a while ago and my load says "Idle" but it just bugs the crap out of me that they're still hitting it. When will it stop? Is there no way to unspoof a spoofed IP? |
|
| Author: | saman007uk [ Wed Jan 21, 2009 5:28 am ] |
| Post subject: | |
A32 wrote: Hey! Thanks for answering.. I have a stupid question, though.
If I allow-query { 127.0.0.1; 1.2.3.4; } Wouldn't that cut off communication with the entire world? Or am I misunderstanding that option? If no others can make queries about my domains, how would the world know where to reach me? Look at sweh's example carefully. |
|
| Author: | sweh [ Wed Jan 21, 2009 7:42 am ] |
| Post subject: | |
A32 wrote: If I allow-query { 127.0.0.1; 1.2.3.4; } Wouldn't that cut off communication with the entire world? Or am I misunderstanding that option? Look inside the "zone" configuration and spot the additional allow-query {any; }; which allows anyone to query _that zone_ Quote: When will it stop? Is there no way to unspoof a spoofed IP?
No. ISPs should provide egress filtering at their borders so that spoofed IPs (not from their range) are blocked and never make it to the internet. It's irresponsible to not do that. Better would be to block down to the customer level, but the infrastructure may not be able to handle that. |
|
| Author: | A32 [ Wed Jan 21, 2009 11:42 am ] |
| Post subject: | |
sweh wrote: Look inside the "zone" configuration and spot the additional allow-query {any; }; which allows anyone to query _that zone_
Ahh... It makes total sense now Thank you.
|
|
| Author: | tronic [ Sat Apr 18, 2009 2:26 am ] |
| Post subject: | Following up |
BIND 9 of a sufficiently recent vintage (9.3 or later?) can do this in named.conf in the options stanza: additional-from-cache no; Seems to work. I put this in when it first became noticed, but didn't see this post until just now. Leaving a reply here to benefit anyone who might stumble across this thread in the future. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|