[dns-operations] New subscribers

Mark Andrews marka at isc.org
Sun Jan 9 23:48:47 UTC 2011

In message <20110107160649.3f320761 at t61p>, John Kristoff writes:
> On Thu, 06 Jan 2011 12:32:39 -0700
> Jeff Taylor <shdwdrgn at sourpuss.net> wrote:
> > Another member of the project recommended I join this mailing list
> > due quite a number of DNS attacks via my servers since this Summer - 
> > initially spoofing IP's within my local subnet, but most recently 
> > they're just hammering my server directly with "isc.org ANY"
> > queries. If this topic is suitable for this group, let me know and
> > I'll open up a new thread with details.
> Awhile back I had seen this:
>   2010-03-28T10:19:27+00:00
>   sport: 51095
>   query: IN ANY isc.org
>   flags: rd, edns, dnssec ok
> I had asked the isc.org folks at the time and Paul stated it wasn't
> them.  Never followed up to find out what it was.  Compare to what you
> saw.

It's almost cerrtainly a attempted DNS amplification attack.  The
source address and port will be forged.  Very few stub clients
(RD=1) turn on EDNS or turn on DO yet (we do want them to do this
in the future however as it is the signature of a DNSSEC validating
application).  You *will* see a packet like this if the targeted
nameserver is listed in the forwarders clause of another nameserver.
If you arn't being used as a forwarder you could almost certainly
filter out this query in a firewall by looking for all of the
following properties: CLASS=IN, TYPE=ANY, QNAME=isc.org, RD=1, QR=0,
EDNS=0 and DO=1.

If isn't in the target population that you offer
recursive/query-cache service to then named will return REFUSED
unless you serve a parent zone in which case a referral will be
returned.  This defeats the amplificication attack but doesn't stop
the response traffic.

> In November and December of last year I saw some widespread isc.org TXT
> queries coming from if that is of interest to anyone.
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list