On Wed 13/Jan/2021 11:03:01 +0100 Matus UHLAR - fantomas wrote:
On 13.01.21 10:21, Alessandro Vesely wrote:
Are the queries refused because of the dot (.)?  In the query log, I also
found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which
probably got away with a NXDOMAIN.

no. the dot is just the root domain.


I see.


This morning, queries for IN ANY are filling up a 63% of total queries. Named seems to be pretty quick at discarding them.  I'm wondering whether
it takes more resources to track and firewall those IPs or just ignore
them.

fail2ban should help not to see those messages


Ditto for grep -v :-)

I use a sort of fail2ban-lite, but hadn't bothered to firewall UDP.  Indeed, if 
the intent is an amplification attack, the IPs I'd find are those of the 
victims, not the attackers.


I'd be also curious of what they are after.  Is there a protest against RFC
8482?  It looks pretty nonsensical.  Any insight?

often, nameservers respond with list of delegations for this query:

% dig +noall +stats -t any . @localhost
;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 13 11:01:08 CET 2021
;; MSG SIZE  rcvd: 2272

this way, server will respond with >2KB packet which may flood the
destination IP.


Aha, thanks for the tip!  That may make sense, except that the server won't 
amplify:

; <<>> DiG 9.16.1-Ubuntu <<>> @north.tana.it . any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 29022
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ee8e36f499f24056c063244b5ffece98904d8e19b39c94a8 (good)
;; QUESTION SECTION:
;.                              IN      ANY

;; Query time: 287 msec
;; SERVER: 62.94.243.227#53(62.94.243.227)
;; WHEN: mer gen 13 11:42:32 CET 2021
;; MSG SIZE  rcvd: 56


Best
Ale
--






















_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to