[nycbug-talk] dns abuse
Max Gribov
max at neuropunks.org
Mon Jan 19 15:08:03 EST 2009
Max Gribov wrote:
> Hi all,
> saw a huge spike in root zone ns queries on my servers starting this
> friday 16th
>
ok, thankfully the isp of those ip's has a working abuse contact.
it looks like their ip's are getting ddos'ed with dns queries for root
zone and the query source is spoofed to their ip's.
besides the throttling on pf level to protect the ns server, i decided
to make . zone a master and allow query only from localhost and my pub
ip, like so:
zone "." {
type master;
file "db.root";
allow-query { 127.0.0.0/8; <pub ip>; };
};
this seems to fix the issue with me participating in the ddos, but would
it break anything on my end?..
so far, everything seems to be working ok.
this is also authoritative-only server, so there is no recursion
are there any other dns dos mitigation techniques out there?..
> Heres a sample log:
> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
>
> some machines query as often as 20-30 times a minute. No idea why this
> would be happening, doesnt look like legitimate traffic to me..
> Is anyone else experiencing this?
>
> If you're having same issue, you can do this in pf to throttle it a bit:
> pass in quick on $ext inet proto udp from any to <server> port 53 keep
> state (max-src-states 1)
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
More information about the talk
mailing list