Le 13/04/2021 à 00:55, Richard T.A. Neal a écrit :
That's exactly what I do - I have some code that's watching for a frequent occurrence of these sorts of queries and then adds a firewall rule for a predetermined amount of time to simply drop the incoming packets at the firewall - this prevents them from reaching BIND in the first place and thus consuming system resource on the BIND server. And I say "predetermined amount of time" because that rule is then removed after a period of time in case the abuse was "unintentional" (ahem), or in case it came from a system using a non-static IP (i.e. a different user may be using that IP now, so I don't want to block them).
Do you block specifically the dns queries in the firewall, or straight out block the IP?
Reading this thread, I considered simply enabling the fail2ban named-refused jail, but they advise against it because it would end up blocking the victim rather than the attacker.
I understand that always ignoring these request may be bad if it causes some timeout somewhere (though I still do not quite fully understand what legitimate requests those may be for a server which only does authoritative answers). Couldn't bind then have a built-in option to ignore repeated attempts from a given host, and cap the number of error codes sent to a given host per day?
Julien _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users