-PER-SECOND: sets the limit of error (REFUSED,FORMERR or
SERVFAIL)?
BR, Nyamka
From: bind-users on behalf of Matus UHLAR -
fantomas
Sent: Wednesday, March 29, 2023 3:24 PM
To: bind-users@lists.isc.org
Subject: Re: Bind dns amplification attack
>On 3/28/23
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
Yes, this is one of the problem "authoritative zones for local use".
On 28.03.23 12:18, Grant Taylor via bind-users wrote:
Authorizing the /zone/ for local use wasn't the problem. The problem
was that the world could get some of that zone's
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
Yes, this is one of the problem "authoritative zones for local use".
Authorizing the /zone/ for local use wasn't the problem. The problem
was that the world could get some of that zone's data from the query
cache even if they couldn't query
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote:
If your server has authroritative zones for internal use, yes, in
such case allow-query is good idea.
On 28.03.23 11:02, Grant Taylor via bind-users wrote:
The server that I first set this on had a secondary copy of the root
zone for my
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote:
If your server has authroritative zones for internal use, yes, in such
case allow-query is good idea.
The server that I first set this on had a secondary copy of the root
zone for my systems use. I ended up adding additional restrictions to
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can
query your server for non-local information.
On 28.03.23 10:16, Grant Taylor via bind-users wrote:
I used to think the same thing.
Then I learned that I needed to also add
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can query
your server for non-local information.
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and
On 28. 03. 23 14:30, Matus UHLAR - fantomas wrote:
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means that only clients with those IP addresses can query
More likely, it’s a malware used to do a targeted attack rather than insecure
routers.
Also why not both? ;)
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 28. 3.
> On 28 Mar 2023, at 09:33, Nyamkhand Buluukhuu wrote:
>
> Hello,
>
> We are having slowly increasing dns requests from our customer zones all
> asking mXX.krebson.ru. I think this is a DNS amplification attack.
> And source zones/IP addresses are different but sending same requests like
>
On 28.03.23 16:04, Nyamkhand Buluukhuu wrote:
No, I have an access list that allows only our ISP zones.
zones? access lists are meant to limit clients.
how do your access limits look like?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive
Hi,
No, I have an access list that allows only our ISP zones.
BR, Nyamka
From: m...@at.encryp.ch
Sent: Tuesday, March 28, 2023 3:40 PM
To: Nyamkhand Buluukhuu ; bind-users@lists.isc.org
Subject: Re: Bind dns amplification attack
Are you an open recursor
Are you an open recursor? If the answer is no, you should not face any
amplifications attacks.
If you are an open recursor, the best solution is to restrict which IP
addresses are allowed to access your recursor.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
Hello,
We are having slowly increasing dns requests from our customer zones all asking
mXX.krebson.ru. I think this is a DNS amplification attack.
And source zones/IP addresses are different but sending same requests like
below.
[cid:ecee1d77-4e4a-4661-b415-32efff6013c7]
Most of them are rate
15 matches
Mail list logo
