Re: Millions of './ANY/IN' queries denied

Wed, 15 Dec 2021 05:46:00 -0800 


Am 15.12.21 um 14:33 schrieb Andrew P.:

So why isn't there a way to tell BIND not to respond to queries for which it 
clearly is not authoritative (such as these attack vectors)? Since no 
legitimate resolver would be asking a non-authoritative server for information, 
why should his (or my) public BIND server respond to these even with an error 
message?


because in case of UDP it would make things much worser


how do the client smell that you didn't respond by purpose and distinct 
it from packet loss leading to retries?


------------------


"Since no legitimate resolver would be asking a non authoritative server 
for information" isn't true at all



years ago we moved a server to a different location and all sorts of ISP 
resolvers did respond with old IPs months later, the dumbest one even 
played lottery responding 50% old and 50% new IP



i found that out by random complaints because one domain had 60 count 
subdomains and started to query all open rsolvers i was able to find 
with script's - a tragedy



that machine was sadly the primary NS for 800 domains and over the 
months the old ip could have been ru-used for a new customer running a 
nameserver for completly different domains


------------------


long story short: no sane service should supress replies completly 
unless a explicit blacklist saying so is involved



________________________________________
From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Ondřej Surý 
<ond...@isc.org>
Sent: Wednesday, December 15, 2021 7:18 AM
To: Danilo Godec
Cc: bind-users@lists.isc.org
Subject: Re: Millions of './ANY/IN' queries denied


Would I be doing a bad thing by using fail2ban to block these IPs?


That’s the question that only you can answer.  The IP addresses are
not attacker’s but victim’s and you would be punishing those networks
by blocking access from them to your network.

Do you absolutely know that these IP addresses doesn’t need access
to your DNS?  If yes, then go ahead.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to