On Tue, 03 Aug 2010 18:01:27 +0200, Denis BUCHER <dbuche...@hsolutions.ch> wrote: > Dear all, > > I have a question, it's not really a big problem, but it's annoying. > > In the logs I get plenty of lines like : >> client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 >> Time(s) >> client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 >> Time(s) >> client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) >> client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: >> 1 Time(s) >> client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 >> Time(s) >> client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) >> client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: >> 1 Time(s) >> client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 >> Time(s) >> client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) >> client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 >> Time(s) >> client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 >> Time(s) >> client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 >> Time(s) >> client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 >> Time(s) >> client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 >> Time(s) >> client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) >> client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) > > This seems to be due to a script-kiddie. > > I would like to know if I can block hosts doing that at the level of > /etc/hosts.allow or should I do it at the level of Bind itself ? > > Currently it is working for sshd on this server to add lines in > /etc/hosts.allow, but I would like to know if it would be possible for > bind : > sshd: 121.14.195.176: DENY > > # uname -a > Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT > 2009 i686 i686 i386 GNU/Linux > # cat /etc/redhat-release > Fedora release 9 (Sulphur) > > Thanks a lot in advance for any help... > > And sorry if this is not 100% on topic, I know it's at the border > between BIND and OS...
On topic question. Don't worry. You could always use the "blackhole" directive in the BIND configuration to avoid responding to this address. This will prevent your server from responding to queries from this address. See the BIND ARM for more info about how to use this. The problem is that this solution would prevent a DNS server at this address from querying your server for legitimate purposes. (Quickly, this address doesn't appear to be running a DNS server at the moment.) Then again, if you are running a firewall on your server (or in front of it), you could always block traffic from this address as an alternative too. This way your DNS server would never even see these queries to have to block. But as a more complete solution, is this an authoritative server for some zone(s) that you are responsible for, or is this a recursive server for your customers? If it is an authoritative server, then you should have it configured to not answer recursive queries for everyone in the world. If it is a recursive server, then you should be limiting who can query it and not respond to non-authorized queries. You can use the BIND "view" to limit who is getting what from your server. Your logs indicate this this query was denied, so you may already have your server configured to not answer these queries from this address, so the last paragraph may not apply. But, it is worth looking at your configuration just to confirm your server is "reasonably" configured. Bill Larson _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
