Le 13/04/2021 à 00:55, Richard T.A. Neal a écrit :

That's exactly what I do - I have some code that's watching for a frequent occurrence of these 
sorts of queries and then adds a firewall rule for a predetermined amount of time to simply drop 
the incoming packets at the firewall - this prevents them from reaching BIND in the first place and 
thus consuming system resource on the BIND server. And I say "predetermined amount of 
time" because that rule is then removed after a period of time in case the abuse was 
"unintentional" (ahem), or in case it came from a system using a non-static IP (i.e. a 
different user may be using that IP now, so I don't want to block them).

Do you block specifically the dns queries in the firewall, or straight out block the IP?

Reading this thread, I considered simply enabling the fail2ban named-refused jail, but they advise against it because it would end up blocking the victim rather than the attacker.

I understand that always ignoring these request may be bad if it causes some timeout somewhere (though I still do not quite fully understand what legitimate requests those may be for a server which only does authoritative answers). Couldn't bind then have a built-in option to ignore repeated attempts from a given host, and cap the number of error codes sent to a given host per day?

Julien

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to