nanog mailing list archives
Re: Comcast residential DNS contact
From: Jared Mauch <jared () puck nether net>
Date: Wed, 3 Dec 2014 12:58:20 -0500
On Dec 3, 2014, at 10:45 AM, Stephen Satchell <list () satchell net> wrote: No. When I've been victim of DNS amplification attacks, the packet capture showed that the attacker used ANY queries. Legit ANY queries on my recursive servers? Damn few. So I block. Not so on my authoritative servers, where ANY queries on the domains I host zone files for have not caused any problems, for anyone. Another thing I did was slow down the port for my recursive DNS servers to 10 megabits/s. That means that my upstream link can't be saturated by DNS amplification. Oh, and I rate-limit incoming queries to my DNS servers by IP address range -- an attack from one subnet won't affect queries from other parts of the net. Queries from my IP address range have a high cap; J random IP addresses have a lower cap.
You should not filter the any queries, perhaps you want to TC=1 them. I created a patch for bind for this purpose. http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch I’ve seen many of these attacks, they will use MX/TXT/A and other records. You may want to look at some of the public resources for this, e.g.: http://dnsamplificationattacks.blogspot.nl/ is a good one and for the git lovers: https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt or https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt - Jared
Current thread:
- Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Niels Bakker (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Niels Bakker (Dec 03)
- Re: Comcast residential DNS contact Stephen Satchell (Dec 03)
- Re: Comcast residential DNS contact Pavel Odintsov (Dec 03)
- Re: Comcast residential DNS contact Jared Mauch (Dec 03)
- Re: Comcast residential DNS contact Stephen Satchell (Dec 03)
- Re: Comcast residential DNS contact Jared Mauch (Dec 03)
- Re: Comcast residential DNS contact Brian Rak (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Doug Barton (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Mark Andrews (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Niels Bakker (Dec 03)
- Re: Comcast residential DNS contact Andrew Sullivan (Dec 03)
- Re: Comcast residential DNS contact Christopher Morrow (Dec 03)
- Re: Comcast residential DNS contact Scott Helms (Dec 03)
- Re: Comcast residential DNS contact Livingood, Jason (Dec 03)