Re: Script-kiddie / client query (cache) '/MX/IN' denied

Tue, 03 Aug 2010 12:13:03 -0700 

Le 03.08.2010 18:28, wllarso a écrit :

This seems to be due to a script-kiddie.
I would like to know if I can block hosts doing that at the level of
/etc/hosts.allow or should I do it at the level of Bind itself ?
And sorry if this is not 100% on topic, I know it's at the border
between BIND and OS...


On topic question.  Don't worry.

You could always use the "blackhole" directive in the BIND configuration
to avoid responding to this address.


Do you think it is better or equal to the firewall solution ?

> This will prevent your server from

responding to queries from this address.  See the BIND ARM for more info
about how to use this.  The problem is that this solution would prevent a
DNS server at this address from querying your server for legitimate
purposes.  (Quickly, this address doesn't appear to be running a DNS server
at the moment.)


Yes ;-)


Then again, if you are running a firewall on your server (or in front of
it), you could always block traffic from this address as an alternative
too.  This way your DNS server would never even see these queries to have
to block.


Yes, that's what I did for the moment...


But as a more complete solution, is this an authoritative server for some
zone(s) that you are responsible for, or is this a recursive server for
your customers?


It is a authoritative server for some domains, yes...


If it is an authoritative server, then you should have it
configured to not answer recursive queries for everyone in the world.



Yes that would be interesting, does it means that only authoritative 
zones would be allowed in queries ? In fact it seems it does not answer 
any query, as in the logs it says "denied". Am I right on this point or 
not ?



If
it is a recursive server, then you should be limiting who can query it and
not respond to non-authorized queries.  You can use the BIND "view" to
limit who is getting what from your server.

Your logs indicate this this query was denied, so you may already have
your server configured to not answer these queries from this address, so
the last paragraph may not apply.


Ok


But, it is worth looking at your
configuration just to confirm your server is "reasonably" configured.


Ok I will check for that...


Thanks a lot for your advices, it makes things a little clearer for me 
now :-)


Denis
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to