n intelligently designed firewall rule that drops the incoming requests
isn't doing exactly what the attacker wants. It's the opposite. The
main effect of forged lookups is a response flood. And so it is also
intended to flood the victim with overwhelming amounts of DNS
responses. It, like any solution, is a two edged blade. Allowing all
the responses to flow back to the victim floods them. Dropping the
incoming request prevents that but it also prevents them from doing
lookups on your nameserver for domains that you are authoritative for.
So if you drop all these forged queries to your authoritative
nameservers save one or two, the victim will get less traffic, and still
be able to do lookups - they'll just take a wee bit longer on average.
If your nameserver is only getting one or two of these every several
minutes, then your impact on the victim is insignificant and you need
not take any action - assuming your BIND configuration is proper.
However if you happen to be a fat target and you're getting dozens or
hundreds of these per second, then you're having a significant impact on
the victim and that particular server should do some filtering.
Firewalls are smart these days. It's entirely possible to do some deep
packet inspection and drop only the "." requests, and/or do rate
limiting. The only firewalls left that can't do this are ancient beasts
that have too many layers of dust on them.
So in addition to ensuring your BIND configuration is setup properly to
refuse upward referrals, recursion, answers from cache to strangers so
forth and so on, it is also important to judiciously apply firewall rules.
There can be more than one proper thing to do.
Stephane Bortzmeyer wrote:
Linux: freedom to build is good
Please top-post and trim when replying to my messages. I most often read mail on a small device.
VERY NOT-IMPORTANT NOT-LEGAL NOTICES:
Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience.
Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your "legal" advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email.
"Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites." --Thomas Jefferson
This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s)