Currently our ISP's bind9 server is experiencing a lot of traffic. It looks like we are being used to attack ip addresses. We do have our own domains that host as well as resolving for our customers.
I have an acl for our subnets and we allow-recursion and allow-query-cache for those subnets. The IP's of the abusing servers are outside of our networks. My assumption was that if the query came from outside our networks and it wasn't for one of our domains then there wouldn't be a response, but this isn't the case. If I go outside our network and do a "dig google.com @ourDNSserver" I get: ; <<>> DiG 9.6.-ESV-R3 <<>> google.com @ns1.xxxxxxxxxxxx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23403 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 ;; Query time: 2 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Wed Jan 30 14:50:32 2013 ;; MSG SIZE rcvd: 500 Is it supposed to work like this? We are getting 100-600 of these a second. Most are looking up isc.org. They are more then likely spoofed IP's and someone is using our servers to attack people. I spent some time doing google searches and mostly found that you need to make sure you are only doing recursive lookups for your network, but that hasn't solved our issue if we are still sending out responses. -- Richard Carroll richcarr...@gmail.com
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users