Rich, I suggest the following
minimal-responses yes; - set this global blackhole { address_match_list }; - use the address_match_list file on your pf.conf (freebsd) with this combo, your bind should refuse queries when it's out-of-zone. additional-from-auth yes; additional-from-cache no; goodluck, -Beavis On Wed, Jan 30, 2013 at 3:02 PM, rich carroll <richcarr...@gmail.com> wrote: > Currently our ISP's bind9 server is experiencing a lot of traffic. It looks > like we are being used to attack ip addresses. We do have our own domains > that host as well as resolving for our customers. > > I have an acl for our subnets and we allow-recursion and allow-query-cache > for those subnets. The IP's of the abusing servers are outside of our > networks. > > My assumption was that if the query came from outside our networks and it > wasn't for one of our domains then there wouldn't be a response, but this > isn't the case. > > If I go outside our network and do a "dig google.com @ourDNSserver" I get: > > ; <<>> DiG 9.6.-ESV-R3 <<>> google.com @ns1.xxxxxxxxxxxx > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23403 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;google.com. IN A > > ;; AUTHORITY SECTION: > com. 172800 IN NS a.gtld-servers.net. > com. 172800 IN NS h.gtld-servers.net. > com. 172800 IN NS l.gtld-servers.net. > com. 172800 IN NS d.gtld-servers.net. > com. 172800 IN NS c.gtld-servers.net. > com. 172800 IN NS i.gtld-servers.net. > com. 172800 IN NS m.gtld-servers.net. > com. 172800 IN NS b.gtld-servers.net. > com. 172800 IN NS j.gtld-servers.net. > com. 172800 IN NS f.gtld-servers.net. > com. 172800 IN NS e.gtld-servers.net. > com. 172800 IN NS g.gtld-servers.net. > com. 172800 IN NS k.gtld-servers.net. > > ;; ADDITIONAL SECTION: > a.gtld-servers.net. 172800 IN A 192.5.6.30 > a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 > b.gtld-servers.net. 172800 IN A 192.33.14.30 > b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 > c.gtld-servers.net. 172800 IN A 192.26.92.30 > d.gtld-servers.net. 172800 IN A 192.31.80.30 > e.gtld-servers.net. 172800 IN A 192.12.94.30 > f.gtld-servers.net. 172800 IN A 192.35.51.30 > g.gtld-servers.net. 172800 IN A 192.42.93.30 > h.gtld-servers.net. 172800 IN A 192.54.112.30 > i.gtld-servers.net. 172800 IN A 192.43.172.30 > j.gtld-servers.net. 172800 IN A 192.48.79.30 > k.gtld-servers.net. 172800 IN A 192.52.178.30 > l.gtld-servers.net. 172800 IN A 192.41.162.30 > > ;; Query time: 2 msec > ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) > ;; WHEN: Wed Jan 30 14:50:32 2013 > ;; MSG SIZE rcvd: 500 > > Is it supposed to work like this? We are getting 100-600 of these a second. > Most are looking up isc.org. They are more then likely spoofed IP's and > someone is using our servers to attack people. > > I spent some time doing google searches and mostly found that you need to > make sure you are only doing recursive lookups for your network, but that > hasn't solved our issue if we are still sending out responses. > > -- > Richard Carroll > richcarr...@gmail.com > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users