[AusNOG] DNS in general - was Re: Botnet??

Andrew Paternoster Andrew at screwloose.com.au
Mon Jul 30 22:37:09 EST 2012


Thanks to all that posted. One of our server didn't have reclusion turned off  (the default setting) and that's what caused all the issues. We sorted out the issues tweaked our firewalls and I made two local zones for the domains they were asking for and most of the traffic has died now. It was interesting to hear about people being hit by the same attack. I guess to stop it in future make sure that only your own customers are using your reclusive DNS servers that way you can control them even if they are ip spoofing.

For any one that was interested the two domains are spl.com and dgtl.ws that were being requested from our servers. 
I would be interested in how many other dns servers they were doing this too.

Thank you
Andrew Paternoster

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dobbins, Roland
Sent: Monday, 30 July 2012 12:46 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] DNS in general - was Re: Botnet??


On Jul 30, 2012, at 5:59 AM, Terry Sweetser (SkyMesh CTO) wrote:

> Overall, the most useful advice I can give anyone: deploy your DNS server farms on anycast.

Concur.  Note that in the example diagram, the interfaces which answer queries are anycasted.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list