On 25/04/2011 13:30, Victor Hugo dos Santos wrote: > Yes.. I already readed about DNS amplifier attack.. but in > amplification attack, the query is about ".", but in my case, the > queries isn't by the "root", but for "unused type" !!!!
No -- confusion of terms: '.' is the *root* of the DNS hierarchy.
Nothing to do with the unix superuser.
The RESERVED0 type of the query is certainly odd. Mu guess is that's a
programming mistake by whoever is trying to run a DoS, as it probably
means he's not going to get any data in the responses and hence no
amplification effect.
> about the configuration, I can't apply the "allow-query" to restrict
> my DNS, because this is a authoritative server of many domains and I
> have the recursion disabled to external views.
OK -- an authoritative server should refuse to reply for a query for the
'.' zone from an arbitrary source, like so:
# dig @ns0.infracaninophile.co.uk . ANY
; <<>> DiG 9.6.2-P2 <<>> @ns0.infracaninophile.co.uk . ANY
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43458
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;. IN ANY
;; Query time: 21 msec
;; SERVER: 81.187.76.162#53(81.187.76.162)
;; WHEN: Mon Apr 25 17:16:28 2011
;; MSG SIZE rcvd: 17
So long as your server responds like that to external queries for the
'.' zone, whether type IN or type RESERVED0 or type whatever, then I
don't think you've got anything much to worry about. 20--30qps like
that should be trivial for any reasonable modern machine.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: [email protected] Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
