Tightened DNS security question re: DNS amplification attacks.

Nate Itkin nanog at konadogs.net
Tue Jan 27 21:16:44 UTC 2009

On Tue, Jan 27, 2009 at 03:04:19PM -0500, Matthew Huff wrote:
> < ... snip ... >
> dns queries to the . hint file
> are still occuring and are not being denied by our servers. For example:
> 27-Jan-2009 15:00:22.963 queries: client view
> external-in: query: . IN NS +
> < ... snip ... >
> since you can't put a "allow-query { none; };" in a hint zone, what can I do
> to deny the query to the . zone file?

AFAIK, that's about the best you can do with the DNS configuration. You've 
mitigated the amplification value, so hopefully the perpetrator(s) will drop 
you. If you're willing to keep up with the moving targets, the next level 
is an inbound packet filter. Add to your inbound ACL:

deny udp host neq 53 any eq 53

Also on this topic:
Coincident with this DNS DOS, I started seeing inbound PTR queries from 
various hosts on (which are blackholed by my DNS servers). 
They receive no response, yet they persist.  Anyone have thoughts on their 
part in the scheme?

Best wishes,
Nate Itkin

More information about the NANOG mailing list