RE: loads of Query denied... is it an attack or a misconfiguration ?

[Matthew Huff]

I've been aware of this problem since it first came up on this and nanog's
list, but I'm having some configuration issues trying to make the upward
referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS
queries being answered in the log:

11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
external-in: query: . IN NS +
11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
external-in: query: . IN NS +
11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
external-in: query: . IN NS +
11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
external-in: query: . IN NS +
11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
external-in: query: . IN NS +

My config follows, any suggestion?

options {
    directory "/var/named";
    pid-file "/var/named/named.pid";
    statistics-file "/var/named/named.stats";
    memstatistics-file "/var/named/named.memstats";
    dump-file "/var/adm/named.dump";
    zone-statistics yes;

    notify no;

    transfer-format many-answers;
    max-transfer-time-in 60;
    interface-interval 0;

    recursion no;

    allow-transfer { xfer; };
    allow-query { none; };
    allow-recursion { none; };

    additional-from-auth no;
    additional-from-cache no;
};

view "internal-in" in {
  match-clients { trusted; };
  recursion yes;
  additional-from-auth yes;
  additional-from-cache yes;
  allow-query { trusted; };
  allow-recursion { trusted; };
  allow-query-cache { trusted; };

  zone "." in {
    type hint;
    file "db.cache";
  };

  zone "0.0.127.in-addr.arpa" in {
    type master;
    file "master/db.127.0.0";
    allow-query {
      any;
    };
    allow-transfer { none; };
  };

  zone "foo.com" in {
    type master;
    file "master/db.foo";
   };

...
...
...

};

view "external-in" in {
  match-clients { any; };
  recursion no;

  allow-transfer { xfer; };
  allow-query { none; };
  allow-recursion { none; };

  additional-from-auth no;
  additional-from-cache no;

  zone "." in {
    type hint;
    file "db.cache";
  };
 
  zone "foo.com" in {
    type master;
    file "master/db.foo";
    allow-query { any; };
  };

...
...
...
};

----
Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139

Matthew Huff.vcf
Description: Binary data

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users