In message <20090121140825.xwdzd4p64kgwo...@web1.nswh.com.au>, j...@miscreant.or g writes: > > On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso <kgasso-li...@visp.net> wro= > te: > > > We're also seeing a great number of these, but the idiots spoofing the > > queries are hitting several non-recursive nameservers we host - and only > > generating 59-byte "REFUSED" replies. > > > > Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS > > and hoped that they were recursive resolvers. > > First post to this list, play nice :) > > Are you sure about this? I'm seeing these requests on /every/ =20 > (unrelated) NS I have access to, which numbers several dozen, in =20 > various countries across the world, and from various registries (.net, =20 > .org, .com.au). The spread of servers I've checked is so random that =20 > I'm wondering just how many NS records they've laid their hands on. > > I've also noticed that on a server running BIND 9.3.4-P1 with =20 > recursion disabled, they're still appear to be getting the list of =20 > root NS's from cache, which is a 272-byte response to a 61-byte =20 > request, which by my definition is an amplification.
BIND 9.3.4-P1 is past end-of-life. You need to properly set allow-query at both the option/view level and at the zone level to prevent retrieving answers from the cache in 9.3.x. option/view level "allow-query { trusted; };" zone level "allow-query { any; };" BIND 9.4.x and later have allow-query-cache make the configuration job easier. It also defaults to directly connected networks. Mark > Cheers, > > Jay > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org