On 2015-11-10, sven falempin <sven.falem...@gmail.com> wrote: > Ok , I agree, and thank you for the accurate answer. > ><long story> > OTOH the server was rejecting all the other request, (i do not think it > was badly configure) > and it ended up rejecting the good one also (after a loooong time of use) > I first look in nsd manpages to see if i could figure why and found nothing > ( a log like i reject packet because ...) > I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD > version 3.2.5 ) > I wanted to have a workaround, of course there is another authoritative to > answer, > therefore i ended up filtering content. ></long story>
Sounds like you should first update, then if the problem persists work on tracking down the problem you see with NSD. Or outsource it (maybe run your server as a "hidden master" and use a DNS provider that will secondary from you, http://efball.com/dns/ lists free-of-charge ones). > If i run authoritative server can i filter to answer to only certain IP > addresses ? > Like a list of public/root DNS ? You are missing some knowledge of how DNS works. The root servers don't send queries, they answer them. There is no such list of addresses (and it wouldn't help anyway - lots of queries from different places for various "random".whatever.com will still give you problems. > My next step was to look at dnssec, which would be nice to have anyway. That is not going to make this any better. > On Mon, Nov 9, 2015 at 10:34 PM, Nick Holland <n...@holland-consulting.net> > wrote: > >> > with iptables i was able to add >> > <-m string --hex-string whatever|03|com> >> > in the <in> rules. >> > >> > So i only accept DNS request that matters to me. L7 filtering to remove DNS attack traffic can be useful, but mostly where it's done it is to carefully remove specific packets (e.g. if you have a bunch of spoofed queries trying to use you as a bouncer/amplifier and you can identify them from certain bits in the query) >> > Is there a way ? (something simpler than diverting to a >> > sort of grep -v ). >> >> I'd call that a wrong way to do it, definitely. >> >> If your name server is configured properly, it should be ignoring domain >> requests it isn't authoritative for. Not a problem. It should be returning REFUSED rather than just ignoring so it is still sending out packets (possibly to an unwitting victim). It can be a problem on the dns server or firewall too, e.g. if it fills PF state table.
