Re: Bind stats - denied queries?

Lyle Giese Mon, 30 Nov 2020 06:54:25 -0800

Be careful 'rejecting' these outright. These queries are UDPtraffic(not TCP) and the source address is easily forged. RRL is thecorrect way to limit these.


Lyle Giese


LCR Computer Services, Inc.

On 11/30/20 4:12 AM, Marc Roos wrote:

Are newer version of bind still logging like this


Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit  responses to
3.9.41.0/24
Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit  responses to
35.177.154.0/24
Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit  responses to
35.177.154.0/24
Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit  responses to
3.9.41.0/24

I already reported, that it is not to smart to log 3.9.41.0/24, better
could be logged 3.9.41.100/24 so you know the offending ip.




-----Original Message-----
From: Karl Pielorz [mailto:kpielorz_...@tdx.co.uk]
Sent: Monday, November 30, 2020 11:08 AM
To: bind-users@lists.isc.org
Subject: Bind stats - denied queries?


Hi,

We've been seeing a huge increase in 'denied queries' against a couple
of Bind servers we look after (Bind 9.16.9) - these are currently logged
as:

"
Nov 30 00:00:00 client @0xXXXXX X.X.X.X#48536 (.): query (cache)
'./ANY/IN'
denied
"

This appears like it might be someone trying (unsuccessfully) to use us
as an amplifier / reflector.

We've got Bind's statistics file setup - but I can't see there's any
entry for these "denied" queries? - As we'd really like to monitor this.

If anyone knows what stat these turn up in the statistics file (if at
all?)

Thanks,

-Karl
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind stats - denied queries?

Reply via email to