Simple DNS Plus News

31 Jan 2009 - Option in Simple DNS Plus to ignore root requests

Because of continued reports about DNS amplification / DDoS attacks (DNS requests for NS-records for <root> from spoofed IP addresses), we have added a new option in Simple DNS Plus to make it easy to deal with these requests and keep them out of the log.

In the Simple DNS Plus Options dialog / DNS / Miscellanuous section, there is now a new "Ignore all DNS requests for <root>" option:

And the statistics (available through the HTTP API) has a new counter for this:

This new option is in Simple DNS Plus v. 5.1 build 128 now available at http://www.simpledns.com/download.aspx

Please note that this only works against a very specific type of attack - which has been rampant for the last two weeks or so. It may become useless very quickly if the attackers change their tatics, but at least it should help right now.

IMPORTANT: When registering new domain names, some registrars require that your DNS server responds with a correct list of DNS root servers as part of their tests, so you may need to temporarily switch this option off when doing this.

Comments:

	31 Jan 2009 16:30 GMT - by Varick: Thank You as it was becoming a pain to block IP's on a daily basis. This update does inded work.
	31 Jan 2009 18:06 GMT - by Jim Hill: Tactics are already changing:- Brian Keefer in dnsop <20090131093218.GB31406@outpost.ds9a.nl> on Sat, 31 Jan 2009 10:32:19 +0100 I've seen this starting today: 09:53:39 Not authoritative for 'jalbmlaaaafwx0000dfaaabaaaabdcen', sending servfail to 70.86.80.98 09:55:43 Not authoritative for 'nfdincaaaafwx0000dfaaabaaaabjmbh', sending servfail to 70.86.80.98 09:57:48 Not authoritative for 'dcghlcaaaafwx0000dfaaabaaaabakdd', sending servfail to 70.86.80.98 09:57:54 Not authoritative for 'doghfbaaaafwx0000dfaaabaaaabkhpg', sending servfail to 70.86.80.98 09:59:59 Not authoritative for 'ncedhaaaaafwx0000dfaaabaaaabhbcp', sending servfail to 70.86.80.98 10:02:03 Not authoritative for 'mfbodbaaaafwx0000dfaaabaaaabjohc', sending servfail to 70.86.80.98 10:04:08 Not authoritative for 'dcmndmaaaafwx0000dfaaabaaaabobjk', sending servfail to 70.86.80.98 10:06:12 Not authoritative for 'jejlpbaaaafwx0000dfaaabaaaabopoa', sending servfail to 70.86.80.98 10:08:11 Not authoritative for '', sending servfail to 70.86.80.98 (recursion was desired) 10:08:17 Not authoritative for 'kdhjlcaaaafwx0000dfaaabaaaabnpdp', sending servfail to 70.86.80.98 10:10:21 Not authoritative for 'jnlnfbaaaafwx0000dfaaabaaaabfjip', sending servfail to 70.86.80.98 10:12:26 Not authoritative for 'albgbfaaaafwx0000dfaaabaaaabchdd', sending servfail to 70.86.80.98 10:14:30 Not authoritative for 'ohjbbnaaaafwx0000dfaaabaaaabjkph', sending servfail to 70.86.80.98 10:16:35 Not authoritative for 'moennnaaaafwx0000dfaaabaaaabkmae', sending servfail to 70.86.80.98 10:18:40 Not authoritative for 'keopjfaaaafwx0000dfaaabaaaabkpfm', sending servfail to 70.86.80.98 10:20:44 Not authoritative for 'neopgnaaaafwx0000dfaaabaaaabdhld', sending servfail to 70.86.80.98 I'm seeing similar here.
	02 Feb 2009 08:17 GMT - by Stephane: Have you, by any chance, failed to restrict recursive queries to your local/trusted networks ?
	02 Feb 2009 13:04 GMT - by Jim Hill: No, I was seeing a few entries like this ... . 09:53:48 Request from 70.86.80.98 for NS-record for nlpblaaaaafwx0000hfaaabaaafbekdk. 09:53:48 Sending reply to 70.86.80.98 about NS-record for nlpblaaaaafwx0000hfaaabaaafbekdk.: 09:53:48 -> Header: Refused - will not answer this client or this query type. . suggesting a change of tactics already away from bogus <root> requests. . However, it seems that v4.00.06 (still not had a chance to install the upgrade) doesn't handle these problems too well, viz . 06:37:52 Request from 217.151.101.100 for A-record for 7.31.3.201.ips.backscatterer.org. 06:37:52 Sending request to 202.91.163.23 (dnsbl-mirrors.backscatterer.org.) for A-record for 7.31.3.201.ips.backscatterer.org. 06:37:52 Request from 217.151.101.100 for TXT-record for 7.31.3.201.ips.backscatterer.org. 06:37:52 Sending request to 202.91.163.23 (dnsbl-mirrors.backscatterer.org.) for TXT-record for 7.31.3.201.ips.backscatterer.org. 06:37:53 Reply from 202.91.163.23 about A-record for 7.31.3.201.ips.backscatterer.org.: 06:37:53 -> Header: Refused - will not answer this client or this query type. 06:37:53 Sending request to 66.11.123.250 (dnsbl-mirrors.backscatterer.org.) for A-record for 7.31.3.201.ips.backscatterer.org. 06:37:53 Reply from 202.91.163.23 about TXT-record for 7.31.3.201.ips.backscatterer.org.: 06:37:53 -> Header: Refused - will not answer this client or this query type. 06:37:53 Sending request to 81.223.116.50 (dnsbl-mirrors.backscatterer.org.) for TXT-record for 7.31.3.201.ips.backscatterer.org. 06:37:53 Reply from 81.223.116.50 about TXT-record for 7.31.3.201.ips.backscatterer.org.: 06:37:53 -> Header: Name does not exist. 06:37:53 -> Authority: SOA-record for ips.backscatterer.org. = ips.backscatterer.org. [2009020108] 06:37:53 Sending reply to 217.151.101.100 about TXT-record for 7.31.3.201.ips.backscatterer.org.: 06:37:53 -> Header: Name does not exist. 06:37:53 -> Authority: SOA-record for ips.backscatterer.org. = ips.backscatterer.org. [2009020108] . Whether that's due to backscatterer.org running sdnsplus, an internal logic fault in v4 or just a logging artifact is impossible to tell from here without some detailed packet analysis.
	02 Feb 2009 13:07 GMT - by Jesper - JH Software: Jim - we have seen a few similar requests here, but they are few and far between. At this point, I would recommend using the settings described at http://www.simpledns.com/newsitem.aspx?id=2362 If you (or anyone else) notice similar requests at an increased rate, please let us know immediately, and we'll take a closer look.
	02 Feb 2009 13:13 GMT - by Jesper - JH Software: Not sure how the "backscatterer.org" requests are related to this? Is 217.151.101.100 one of yours? Otherwise you need to restrict recursion (see Options dialog / DNS / Recursion).
	02 Feb 2009 20:15 GMT - by Jim Hill: I confirm that recursion is limited to my lan, 217.151.101.96/29, and that lame requests are being refused. . In the above log, 217.151.101.100 is my mail server and backscatterer is a dnsbl (see http://www.backscatterer.org). From what I can see, sdnsplus v4 is treating some backscatterer responses as lame but not others. No idea why, nor why this appears to be limited to backscatterer responses on my system. . I've seen quite a few responses like this but they're not easy to find in the logs. I'll try to determine the extent of this problem later. . Perhaps, for the future, you might consider adding an identifier to the error messages, eg... . 06:37:53 -> Header: Refused - will not answer this client or this query type [202.91.163.23]. . ... so that they can be traced more easily.

More news...