On 21/01/2009, at 10:40 AM, Scott Haneda wrote:
Hello, looking at my logs today, I am getting hammered with these:
20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
query (cache) './NS/IN' denied
20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
query (cache) './NS/IN' denied
Repeated over and over, how do I tell what they are, and if they are
bad, what is the best way to block them?
--
Scott
Scott,
As you know, these are spoofed queries, created in the hope that you
will reflect traffic back to these IPs to assist in DDoSing them.
Patrik Rak posted to my blog an iptables rule, which is useful for
those of us running linux, that drops this specific type of recursive
query; namely IN NS queries against '.'.
iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
"0>>22&0...@12>>16=1&&0>>22&0...@20>>24=0&&0>>22&0...@21=0x00020001"
I've tested it, and it appears effective. I now have blessed silence
in my logfiles.
Ideally it'd be great to be able to track back through the internet
and get every single network operator to implement BCP 38, but while
that's getting done (and good luck with that), you at least have a
workaround.
At least until the kiddies change what kind of query they use ... god
forbid they work out what names an authoritative nameserver WILL
respond to and query that.
Hope this helps,
Nathan.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
