[ale] Fwd: Under Attack, my dns servers

Chuck Payne terrorpup at gmail.com
Mon Oct 6 16:13:59 EDT 2014


Here is my file, the ip have been change to protect the wicked

root at inferno:/etc/bind# cat named.conf.options

options {

directory "/var/cache/bind";


// If there is a firewall between you and nameservers you want

// to talk to, you may need to fix the firewall to allow multiple

// ports to talk.  See http://www.kb.cert.org/vuls/id/800113


// If your ISP provided one or more IP addresses for stable

// nameservers, you probably want to use them as forwarders.

// Uncomment the following block, and insert the addresses replacing

// the all-0's placeholder.


// forwarders {

// 0.0.0.0;

// };


rate-limit {

    responses-per-second 15;

    window 5;

};


forwarders {

208.67.222.222;

208.67.220.220;

};


        auth-nxdomain no;    # conform to RFC1035

l       isten-on-v6 { none; };




allow-query {

       208.67.222.222;
       208.67.220.220;
       75.75.75.75;
       75.76.75.76;
       8.8.8.8;
       71.1.2.11;
       127.0.0.1/8;
       50.1.59.24/28;
       192.168.0.0/24;
        209.120.10.128/25;

        };

recursive-clients 15;


additional-from-cache no;


allow-recursion {

       208.67.222.222;
       208.67.220.220;
       75.75.75.75;
       75.76.75.76;
       8.8.8.8;
       71.1.2.11;
       127.0.0.1/8;
       50.1.59.24/28;
       192.168.0.0/24;
        209.120.10.128/25;

};

allow-recursion-on {

       208.67.222.222;
       208.67.220.220;
       75.75.75.75;
       75.76.75.76;
       8.8.8.8;
       71.1.2.11;
       127.0.0.1/8;
       50.1.59.24/28;
       192.168.0.0/24;
        209.120.10.128/25;

};

blackhole {

      botnet_pukes;

};



        //multiple-cname yes;


};


On Mon, Oct 6, 2014 at 3:59 PM, Horkan Smith <ale at horkan.net> wrote:
>
> I've also seen a setup where both internal and external DNS servers are
running on the same machine, but I'd have to dig out the config options
they used.
>
> later!
>    horkan
>
> On Mon, Oct 06, 2014 at 03:57:19PM -0400, Horkan Smith wrote:
> > Yup, that's a fair critique - it hasn't been an issue yet, but I really
should switch my setup around.
> >
> > I have a virtual machine running bind9 and postfix for a brain-damaged
internal printer - I should swap DHCP to point there and see what happens.
> >
> > later!
> >    horkan
> >
> > On Mon, Oct 06, 2014 at 03:47:05PM -0400, Michael H. Warfield wrote:
> > > On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:
> > > > Can you share the lines where you control access (including
recursion)?  In my case, they look like:
> > > >
> > > > named.conf.options:
> > > >         allow-transfer { home-nets; domain-backups; };
> > > >         allow-recursion { home-nets; domain-backups; };
> > > >         allow-query { home-nets; domain-backups; };
> > >
> > > It's worth noting that these do not prevent attackers from exploiting
> > > your own name servers to attack you internally.  They just spoof the
> > > requests from your internal (even private) addresses to request huge
> > > blocks of response data which will then be cached in your servers and
> > > reflected back to hammer you.  It's much better if you can block
access
> > > from the external net (either external interface or at your router) to
> > > your recursive cacher, which then blocks incoming spoofed packets from
> > > your internal addresses.  Most firewalls can discriminate between
> > > recursive requests and terminal requests, so you'll still end up
needing
> > > a non-recursive DNS server for your authoritative zones.
> > >
> > > Regards,
> > > Mike
> > >
> > > > Where home-nets and domain-backups are defined as acls.
> > > >
> > > > later!
> > > >    horkan
> > > >
> > > >
> > > > On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:
> > > > > Guys,
> > > > >
> > > > > I am under attack where my dns server is being used to do a ddos
attack. I
> > > > > believe it's a bot net, because the ip are too random. I don't
think the
> > > > > domain I am seeing in my bind log is real
> > > > >
> > > > > fkfkfkfz.guru
> > > > >
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query:
fkfkfkfz.guru IN
> > > > > ANY +E (50.192.59.225)
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > > > > 'fkfkfkfz.guru/ANY/IN' denied
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED
response
> > > > > to 92.222.9.0/24
> > > > >
> > > > > I have turn on recursion, but now people can't find my domains
any more.
> > > > > I have also try to limit the rate as well
> > > > >
> > > > >   rate-limit {
> > > > >                 responses-per-second 25;
> > > > >                 window 5;
> > > > >         };
> > > > >
> > > > >
> > > > > I am running Debian and openSUSE.
> > > > >
> > > > > Anything I can do to stop them and make where people can find my
domains? I
> > > > > don't want to have to pay for something I can do and have control
over.
> > > > >
> > > > > --
> > > > > Terror PUP a.k.a
> > > > > Chuck "PUP" Payne
> > > > >
> > > > > 678 636 9678
> > > > > -----------------------------------------
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > -----------------------------------------
> > > > > openSUSE -- Terrorpup
> > > > > openSUSE Ambassador/openSUSE Member
> > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > freenode(irc) --terrorpup/lupinstein
> > > > > Register Linux Userid: 155363
> > > > >
> > > > > Have you tried SUSE Studio? Need to create a Live CD,  an app you
want to
> > > > > package and distribute , or create your own linux distro. Give
SUSE Studio
> > > > > a try.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Terror PUP a.k.a
> > > > > Chuck "PUP" Payne
> > > > >
> > > > > 678 636 9678
> > > > > -----------------------------------------
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > -----------------------------------------
> > > > > openSUSE -- Terrorpup
> > > > > openSUSE Ambassador/openSUSE Member
> > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > freenode(irc) --terrorpup/lupinstein
> > > > > Register Linux Userid: 155363
> > > > >
> > > > > Have you tried SUSE Studio? Need to create a Live CD,  an app you
want to
> > > > > package and distribute , or create your own linux distro. Give
SUSE Studio
> > > > > a try.
> > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://mail.ale.org/mailman/listinfo/ale
> > > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > > http://mail.ale.org/mailman/listinfo
> > > >
> > > >
> > >
> > > --
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |
http://www.wittsend.com/mhw/
> > >    NIC whois: MHW9          | An optimist believes we live in the
best of all
> > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
of it!
> > >
> >
> >
> >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> >
> >
> > --
> > Horkan Smith
> > 678-777-3263 cell, ale at horkan.net
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
> --
> Horkan Smith
> 678-777-3263 cell, ale at horkan.net
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo




--
Terror PUP a.k.a
Chuck "PUP" Payne

678 636 9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
package and distribute , or create your own linux distro. Give SUSE Studio
a try.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/9cfcf57b/attachment.html>


More information about the Ale mailing list