LinuxQuestions.org - 'isc.org/ANY/IN' denied: 1466 Time(s)

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - 'isc.org/ANY/IN' denied: 1466 Time(s) (https://www.linuxquestions.org/questions/linux-security-4/isc-org-any-in-denied-1466-time-s-4175455790/)

Quote:

Originally Posted by cliffordw (Post 4923504)

If it is the name server for a LAN, then it is the first stop for all queries, and needs to respond to legitimate requests for the isc.org domain (either with the root servers if recursion is off, or with the final answer if recursion is on). In such a case the iptables rules should probably be refined to block only requests from the outside, while still allowing them from inside (by physical interface or IP range).

If it is the name server for a LAN then it shouldn't be listening on any public interfaces in the first place ;-p Besides that, and this is more a basic thing, common QTYPES are A, MX or quad A. Apart from a certain stubborn MTA the "wildcard" or ANY QTYPE isn't that commonly seen percentage-wise.

Quote:

Originally Posted by sundialsvcs (Post 4925086)

My understanding of this attack was that the Internet was simply being flooded with these requests, which of all rights should only originate from "upstream" DNS servers, but actually coming from everywhere ... on the assumption that any server would respond to them anyway if received, and thereby contribute to the chaos.

No, any client may ask for it. The problem is there are too many name servers that answer requests they really shouldn't and the response is asymmetric, way larger than the request.