nanog mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: Nate Itkin <nanog () konadogs net>
Date: Tue, 27 Jan 2009 11:16:44 -1000
On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote:
< ... snip ... > dns queries to the . hint file are still occuring and are not being denied by our servers. For example: 27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view external-in: query: . IN NS + < ... snip ... > since you can't put a "allow-query { none; };" in a hint zone, what can I do to deny the query to the . zone file?
AFAIK, that's about the best you can do with the DNS configuration. You've mitigated the amplification value, so hopefully the perpetrator(s) will drop you. If you're willing to keep up with the moving targets, the next level is an inbound packet filter. Add to your inbound ACL: deny udp host 64.57.246.146 neq 53 any eq 53 Also on this topic: Coincident with this DNS DOS, I started seeing inbound PTR queries from various hosts on 10.0.0.0/8 (which are blackholed by my DNS servers). They receive no response, yet they persist. Anyone have thoughts on their part in the scheme? Best wishes, Nate Itkin
Current thread:
- out-of-band access bandwidth wingying (Jan 27)
- Re: out-of-band access bandwidth Brian Wallingford (Jan 27)
- RE: out-of-band access bandwidth Michael K. Smith - Adhost (Jan 27)
- Re: out-of-band access bandwidth Steve Meuse (Jan 27)
- Tightened DNS security question re: DNS amplification attacks. Matthew Huff (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Nate Itkin (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Nate Itkin (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. John Martinez (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Steve Pirk (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: out-of-band access bandwidth Steve Meuse (Jan 27)
- RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED] David Zielezna (Jan 27)
- Message not available
- RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED] David Zielezna (Jan 27)