Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If it is the name server for a LAN, then it is the first stop for all queries, and needs to respond to legitimate requests for the isc.org domain (either with the root servers if recursion is off, or with the final answer if recursion is on). In such a case the iptables rules should probably be refined to block only requests from the outside, while still allowing them from inside (by physical interface or IP range).
If it is the name server for a LAN then it shouldn't be listening on any public interfaces in the first place ;-p Besides that, and this is more a basic thing, common QTYPES are A, MX or quad A. Apart from a certain stubborn MTA the "wildcard" or ANY QTYPE isn't that commonly seen percentage-wise.
My understanding of this attack was that the Internet was simply being flooded with these requests, which of all rights should only originate from "upstream" DNS servers, but actually coming from everywhere ... on the assumption that any server would respond to them anyway if received, and thereby contribute to the chaos.
No, any client may ask for it. The problem is there are too many name servers that answer requests they really shouldn't and the response is asymmetric, way larger than the request.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.