[nsd-users] in-addr lame delegation DOS

Robert Blayzor rblayzor.bulk at inoc.net
Thu Apr 21 18:37:47 UTC 2022


Our name servers have recently fallen victim to a group who literally 
delegated 100's of IPv4 in-addr.arpa zones to our name servers blindly.

None of these in-addr arpa zones were setup, so our servers are just 
refusing the queries. Unfortunately NAKs are not cached very long, so 
the noise is fierce from tens of thousands of queries per second looking 
for PTR's for these name servers.

Right now the only way I've been able to mitigate this is by adding the 
zone with a wildcard PTR that answers something with a long TTL. This 
cut down on the queries by like 95% or more.

The problem is, we keep finding more and more in-addr.arpa zones being 
blindly delegated to us.

Other than finding and adding these zones one by one, would it be 
possible to add a zone for the very root of in-addr.arpa and wildcard 
everything in the zone?

ie:

Create a zone for 31.in-addr.arpa

In the zone add RR's

*  86400 IN   PTR  null.invalid.


Or would I have to do:

*.*.* PTR null.invalid ?


Etc. ?


Just looking for a way to tell them to "back off" until we can find the 
offenders and have them fix their delegations..

-- 
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP:  https://pgp.inoc.net/rblayzor/


More information about the nsd-users mailing list