On Wed, 15 Dec 2021 12:51:19 +0100 Danilo Godec via bind-users <bind-users@lists.isc.org> wrote:
[...] > 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0 > 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied This can be common noise you'll see if any external source can get queries to your server. It looks like you are denying the queries, which are probably rd=1 queries. That is good. If your server is auth-only, then it is probably easiest and least harmful. These are most likely clients looking for open resolvers. For example, the address below has shown up in the signals data doing just that since at least early November with a project associated with the domain of my email. > I'm guessing this is some sort of an reflection attack attempt, but I > don't quite understand if these are the perpetrators or victims? If you're refusing the queries, most likely they are Internet surveyors and scanners. Some of that may be for reasonable cataloging and alerting services, other times it is by miscreants looking for servers to use for reflection attacks. > Would I be doing a bad thing by using fail2ban to block these IPs? This might be dangerous. If someone spoofs a well formed UDP query that does what the above does and you block it, what if the spoofed source is something you don't want blocked? This doesn't happen often, but I've seen it happen and people have gotten badly burned by it. John _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users