An intelligently designed firewall rule that drops the incoming requests isn't doing exactly what the attacker wants. It's the opposite. The main effect of forged lookups is a response flood. And so it is also intended to flood the victim with overwhelming amounts of DNS responses. It, like any solution, is a two edged blade. Allowing all the responses to flow back to the victim floods them. Dropping the incoming request prevents that but it also prevents them from doing lookups on your nameserver for domains that you are authoritative for.
So if you drop all these forged queries to your authoritative nameservers save one or two, the victim will get less traffic, and still be able to do lookups - they'll just take a wee bit longer on average. If your nameserver is only getting one or two of these every several minutes, then your impact on the victim is insignificant and you need not take any action - assuming your BIND configuration is proper. However if you happen to be a fat target and you're getting dozens or hundreds of these per second, then you're having a significant impact on the victim and that particular server should do some filtering. Firewalls are smart these days. It's entirely possible to do some deep packet inspection and drop only the "." requests, and/or do rate limiting. The only firewalls left that can't do this are ancient beasts that have too many layers of dust on them. So in addition to ensuring your BIND configuration is setup properly to refuse upward referrals, recursion, answers from cache to strangers so forth and so on, it is also important to judiciously apply firewall rules. There can be more than one proper thing to do. -d Stephane Bortzmeyer wrote: > On Wed, Feb 11, 2009 at 01:35:31AM +0100, > Thomas Manson <dev.mansontho...@gmail.com> wrote > a message of 80 lines which said: > > >> I'll temporray block the ip on my firewall >> > > Very bad idea, since it is forged. You do exactly what the attacker > wanted you to do. > > The proper thing to do is: > > https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your "legal" advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. "Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites." --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't tell me about it. The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. If you happen to be a corporation that uses lawyer-think-s peak-asinine-thoughts well then please sit your ass back down and we will promptly ignore the hell out of you and your disclaimers. Wait, no we won't. We have this urgent primal need to publicly make fun of you, and then we'll repost your message in blazing full frontal nudity across the internet. The authority of the individual sending this message to legally bind any entity is neither apparent nor implied, and must be independently verified - uh ... duh? Isn't that obvious? Of course not. Only people with intelligence recognize such simple facts. Thank you for standing in the back yard and whining your ass off holding up tiny little posters forbidding mosquitoes from biting you. Does a whole hell of a lot of good. Right? Yeah, you keep up with the delusions. Keeping up with the Jones is good after all. Holy hell Batman sleeps with Robin -- This disclaimer is short! _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
