Thanks for all.
But the strange thing is that if the request comes on 53 port then it should
go only from 53 is it?? Why goes out from 0, any clue would be highly
appreciate.
Regards
Ejaz
-Original Message-
From: Tony Finch [mailto:d...@dotat.at]
Sent: Tuesday, July 26, 2016 4:12 P
On 27 July 2016 at 08:41, Ejaz wrote:
> Thanks for all.
>
> But the strange thing is that if the request comes on 53 port then it should
> go only from 53 is it?? Why goes out from 0, any clue would be highly
> appreciate.
>
> Regards
> Ejaz
Where's the packet capture to review?
_
Thanks you.
The traffic will go to router which is handled by the Network dept. The fear
that may router can crash if we start enabling the packet capture since it
is layer 7.
Is advisable, if we deny outbound UDP port 0 from the DNS servers, after
enabling firewall.
Ejaz
-Or
You can use tcpdump on your DNS server to take the trace.
Command would be like below.
tcpdump -i any port 53 -w trace.pcap
You can share trace.pcap with us.
Regards
Abdul Khader
Ejaz wrote:
>
>Thanks you.
>
>The traffic will go to router which is handled by the Network dept. The fear
>th
Did not find any attachment.
Ejaz wrote:
>Thank you so much Abdul for you instant support.
>
>As requested, Find the attached.
>
>
>Ejaz
>-Original Message-
>From: akha...@ies.etisalat.ae [mailto:akha...@ies.etisalat.ae]
>Sent: Wednesday, July 27, 2016 3:04 PM
>To: Ejaz ; 'S Carr'
On 27 July 2016 at 13:33, Ejaz wrote:
> Thank you so much Abdul for you instant support.
>
> As requested, Find the attached.
So the 3 IPs (212.118.122.99-101) are continuously sending ANY
requests for cpsc.gov
No responses I can see are going from port 0, they are coming in on 53
and BIND is re
Really I appreciate sparing such long time to trace out the problem and sending
such detail email.
Is there any other security measure from the DNS level to control such
attacks. Instead of blocking IP which is either from my linux machine or from
my network side.
Such as, if someone is sen
Ejaz wrote:
>
> Such as, if someone is sending ANY request , by default it should be
> denied when users requests for it..
BIND 9.11 will have a minimal-any option.
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
https://lists.isc.org/pipermail/bind-users/2016-July/097226.html
Tony.
--
Hello,
You mean I need to downgrade my bind to 9.11, as my current version is "BIND
9.9.2-P1"
Ejaz
-Original Message-
From: Tony Finch [mailto:d...@dotat.at]
Sent: Wednesday, July 27, 2016 4:49 PM
To: Ejaz
Cc: 'S Carr' ; 'bind-users'
Subject: RE: outgoing-traffic
Ejaz
On 27 July 2016 at 14:44, Ejaz wrote:
> Such as, if someone is sending ANY request , by default it should be denied
> when users requests for it..
Denying the request isn't going to solve anything in this case, they
are still going to repeatedly ask for it and the traffic has already
hit your
Oh I am sorry for my misunderstanding..
I was thinking 9.1.1 not 9.11. ok that is fine.. will upgrade it to 911 and
I will see if it control.
Thank you so much for all.
Ejaz
-Original Message-
From: Reindl Harald [mailto:h.rei...@thelounge.net]
Sent: Wednesday, July 27, 2016 4:58 PM
On 27 July 2016 at 14:44, Ejaz wrote:
Such as, if someone is sending ANY request , by default it should be denied
when users requests for it..
On 27.07.16 14:57, S Carr wrote:
Denying the request isn't going to solve anything in this case, they
are still going to repeatedly ask for it and
> Denying the request isn't going to solve anything in this case, they are
> still going to repeatedly ask for it and the traffic has already hit your
> system before ANY queries would be denied.
Agreed but at least it minimize the problem, as if request is 50 bytes and
then response also 50
On 27 July 2016 at 15:10, Matus UHLAR - fantomas wrote:
> however, if no responses will come from his server, it's more likely that
> the queries will stop.
If you look at the capture there doesn't appear to be any responses
being sent for the ANY queries to start with, yet the queries keep
comin
On 27 July 2016 at 15:10, Matus UHLAR - fantomas wrote:
however, if no responses will come from his server, it's more likely that
the queries will stop.
On 27.07.16 15:19, S Carr wrote:
If you look at the capture there doesn't appear to be any responses
being sent for the ANY queries to start
I thought port 0 was never valid as either source or destination.
On Wed, 27 Jul 2016 11:22:06 +0300
"Ejaz" wrote:
>
> Thanks you.
>
> The traffic will go to router which is handled by the Network dept.
> The fear that may router can crash if we start enabling the
> packet capture since
Ejaz
As per the trace file QPS is around 1,158. Not sure what are the specs
of your server, but it is very less compared to other ISP's.
You need to rate-limit following IP's to around 20 QPS. All of these
IP's are sending ANY queries for cpsc.gov. This is an amplification attack.
212.118.
I have an issue I can't seem to figure out, when I make a zone change on the
master server it sends out notifies to the slave, the slave updates the zone
once it sees the notify but I get this in the logs.
named[7062]: client xx.xx.64.2#51056: received notify for zone 'xxx: not
authoritative
On the samba mailing list they described setting up the DC as the NS and
forward to another machine for more rules.
This will work fine for one domain. Now lets say I have 2 domains.
If I setup forwarders like so on 192.168.1.1
zone "domainA" IN { type forward; forward only; forwarders { 192.168.
should I setup 192.168.1.1 as slaves to these two domains would that fix it?
On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski
wrote:
> On the samba mailing list they described setting up the DC as the NS and
> forward to another machine for more rules.
> This will work fine for one domain. Now le
I'm going to try slaves like so
If I setup slave zones like so on 192.168.1.1
zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
"db.domainA"; };
zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
"db.domainB"; };
and in 192.168.2.1 and 192.168.3.1
in options
notify yes;
I'm going to try slaves like so
If I setup slave zones like so on 192.168.1.1
zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
"db.domainA"; };
zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
"db.domainB"; };
and in 192.168.2.1 and 192.168.3.1
in options
notify yes;
My preference? Have all your clients use BIND to resolve DNS (this gives access
to more advanced features like sortlisting, good query logging,
blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up the
BIND instances as slaves for the AD zones, and have the AD folks add the
ch as, if someone is sending ANY request , by default it should be
> denied when users requests for it..
BIND 9.11 will have a minimal-any option.
<https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any>
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
<https://lists.i
24 matches
Mail list logo
