Thanks Eric. Using blackhole option sounds like feasible option to block a IP
address. Instead of using the acl can I just use the option blackhole
blackhole { xx.xx.xx.xx; };
The idea is to user file::tail perl module in a script to tail the stat file
continuously and if the condition occurs then pick the source IP address and
insert the line
blackhole { xx.xx.xx.xx; };
in the named.conf under options and reload the configuration.
During these attacks we've experienced that named basically hangs because it
gets flooded with queries. With the blackhole option the recursion part to
internet from such queries can be avoided but we can't avoid the incoming
queries from the attacker. So we will need to test this is determine how
effective is it.
--- On Thu, 2/26/09, Jeff Lightner <[email protected]> wrote:
> From: Jeff Lightner <[email protected]>
> Subject: RE: Deny query from a single IP
> To: "Eric C. Davis" <[email protected]>, [email protected]
> Cc: [email protected]
> Date: Thursday, February 26, 2009, 10:38 AM
> That being said you CAN do what you asked:
>
> Create an ACL in named.conf:
>
> # Blackhats ACL - zones to be used in blackhole statement -
> will prevent
>
> # them from being allowed to query and will not respond to
> them.
> acl "blackhats" {
> xx.xx.xx.xx;
> };
>
> (Where you put the specific IP in place of the
> xx.xx.xx.xx.)
>
> Then in options section add a line to use the ACL:
> blackhole { blackhats; };
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Eric
> C. Davis
> Sent: Thursday, February 26, 2009 11:24 AM
> To: [email protected]
> Cc: [email protected]
> Subject: Re: Deny query from a single IP
>
> It is better do this with a real IPS rather than use your
> DNS server to
> do this. You should avoid having any unwanted traffic hit
> you DNS
> servers ever.
>
> Eric
> Prabhat Rana wrote:
> > Hello,
> > I have BIND 9.5running on a Solaris10 box. It provides
> recursive DNS
> service. I'm trying to implement a script where it
> reads the BIND stats
> file for all the incoming queries and if there are too many
> queries from
> a single user (source IP) it will block queries from that
> particular IP.
> In order for this to occur is there a parameter similar to
> allow-query
> that I can inject into the named.conf to block query from a
> single IP
> address when this condition occurs? Basically I'm
> trying to add a tool
> to detect potential DOS attacks where we see too many
> queries from one
> single IP. Any other suggestions would also be appreciated.
> >
> > Thanks
> > Prabhat.
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > bind-users mailing list
> > [email protected]
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
> _______________________________________________
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
>
> Please consider our environment before printing this e-mail
> or attachments.
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
> or confidential information and is for the sole use of the
> intended recipient(s). If you are not the intended
> recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be
> unlawful. If you have received this electronic transmission
> in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank
> you.
> ----------------------------------
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
