LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BIND 9 denial of service being seen in the wild

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 18:17 UTC (Thu) by brad@vaxxine.com (guest, #6399)
Parent article: BIND 9 denial of service being seen in the wild

I am glad I took my lumps and disabled public recursive resolving many years ago on my BIND installations. Only do that for local IP ranges! This eliminates all the resolver issues. Also I found that when the DNS server was open I was getting a constant stream of repeated unusual TXT lookups from remote IP's which were for oddball domains. These TXT records contained many K of data. I suspect these requests were fake source IP requests being used as some sort of bandwidth DOS attack, working like a Smurf PING attack.

(Log in to post comments)

I think it was must simpler...

Posted Nov 17, 2011 19:47 UTC (Thu) by khim (subscriber, #9252) [Link]

Are you sure it was something nefarous? Perhaps it was just a simple IP-over-DNS?

BIND 9 denial of service being seen in the wild

Posted Nov 18, 2011 11:48 UTC (Fri) by terryburton (subscriber, #26261) [Link]

"Only do that for local IP ranges! This eliminates all the resolver issues."

There may be many ways of coercing your local hosts to make lookups that you did not intend, such as including links in web content that the browser pre-caches as well as basic SMTP reception and mail content scanning. Enable query logging on your resolver to see the scope of this.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds