Re: DNS hits

[Andy Smith <andy@strugglers.net>]

Hi Glenn,

On Sat, Feb 11, 2017 at 04:11:13PM -0700, Glenn English wrote:
> Does your DNS answer recursive queries?
> >
> 
> Oh, my lord. I didn't think it did -- I tried to configure BIND to do
> recursion only from my net. I just tried it from an external IP, and sure
> enough, it gave me an address for www.abc.com. But I just saw another
> config option that turns recursion off completely.

If your nameserver offered recursion then it was most likely scanned
and added to a list of such servers, and is now being used to take
part in distributed denial of service attacks.

If the really large amount of traffic that is appearing to come
from relatively few sources at any given time, then you may
actually be taking part in attack on those apparent sources. The
attackers forge a victim's source address and make a DNS query to an
open resolver for a large record, then the resolver sends that
answer back to the forged source. This inflicts a large amount of
traffic on a third party, as there will be potentially many
thousands of open resolvers doing this all at once.

If on the other hand the really large amount of traffic is coming
from hundreds or thousands of different hosts at once then it is
more likely that you are the victim and they are the open resolvers.

If you're facilitating the DDoS then closing your open resolver
should fix it though not immediately, as they won't know that it
stopped working for a while.

Some more information about the denial of service attacks which use
open recursive nameservers:

    http://www.securiteam.com/securityreviews/5GP0L00I0W.html

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting