[nycbug-talk] dns abuse

Max Gribov max at neuropunks.org
Mon Jan 19 15:08:03 EST 2009

Max Gribov wrote:
> Hi all,
> saw a huge spike in root zone ns queries on my servers starting this 
> friday 16th
ok, thankfully the isp of those ip's has a working abuse contact.

it looks like their ip's are getting ddos'ed with dns queries for root 
zone and the query source is spoofed to their ip's.

besides the throttling on pf level to protect the ns server, i decided 
to make . zone a master and allow query only from localhost and my pub 
ip, like so:
zone "." {
    type master;
    file "db.root";
    allow-query {; <pub ip>; };

this seems to fix the issue with me participating in the ddos, but would 
it break anything on my end?..
so far, everything seems to be working ok.
this is also authoritative-only server, so there is no recursion

are there any other dns dos mitigation techniques out there?..

> Heres a sample log:
> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
> some machines query as often as 20-30 times a minute. No idea why this 
> would be happening, doesnt look like legitimate traffic to me..
> Is anyone else experiencing this?
> If you're having same issue, you can do this in pf to throttle it a bit:
> pass in quick on $ext inet proto udp from any to <server> port 53 keep 
> state (max-src-states 1)
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

More information about the talk mailing list