How does query denial actually work?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How does query denial actually work?

Andrew P.
Greetings, all.

I was curious about one of the features in BIND. Per the Best Practices, my on-site primary nameserver for my public domains (the secondaries being with a large public DNS provider) is configured to only allow queries from within my LAN and transfers in the LAN and to the designated servers at the DNS provider, and the zones don't actually list the primary in NS records (only in the SOA record). So I'm seeing large numbers of bursts of denied errors like this:

client @0x6e702710 73.61.186.10#21509 (.): query (cache) './ANY/IN' denied

I'll get maybe 20 in a row in under 2 seconds from one IP address, then a time gap, then a similar burst supposedly from a different IP address.

So, my questions are:

1. Are these attacks?

2. Does BIND actually send a reject message back, or is it silent in such denial cases (as in, not still attacking with smaller packets the victim of a DNS amplication attack)?

I can't figure it out from reading the source code; I haven't so far been able to trace back from where the messages are logged to where (if any) a response packet would be transmitted.

Andrew
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How does query denial actually work?

Matus UHLAR - fantomas
On 17.12.20 14:35, Andrew P. wrote:

>I was curious about one of the features in BIND.  Per the Best Practices,
> my on-site primary nameserver for my public domains (the secondaries being
> with a large public DNS provider) is configured to only allow queries from
> within my LAN and transfers in the LAN and to the designated servers at
> the DNS provider, and the zones don't actually list the primary in NS
> records (only in the SOA record).  So I'm seeing large numbers of bursts
> of denied errors like this:
>
>client @0x6e702710 73.61.186.10#21509 (.): query (cache) './ANY/IN' denied
>
>I'll get maybe 20 in a row in under 2 seconds from one IP address, then a time gap, then a similar burst supposedly from a different IP address.
>
>So, my questions are:
>
>1. Are these attacks?

yes, and they are very common on the internet.

>2.  Does BIND actually send a reject message back, or is it silent in such
> denial cases (as in, not still attacking with smaller packets the victim
> of a DNS amplication attack)?

usually, yes.  Those responses are small (I measured 74B now) and you can
limit there using responses-per-second or errors-per-second.

if you don't provide any servce (domain) to a public, you can filter DNS
requests from the internet.

>I can't figure it out from reading the source code; I haven't so far been
> able to trace back from where the messages are logged to where (if any) a
> response packet would be transmitted.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users