Tightened DNS security question re: DNS amplification attacks.

> < ... snip ... >
> dns queries to the . hint file
> are still occuring and are not being denied by our servers. For example:
> 27-Jan-2009 15:00:22.963 queries: client view
> external-in: query: . IN NS +
> < ... snip ... >
> since you can't put a "allow-query { none; };" in a hint zone, what can I d
> to deny the query to the . zone file?

AFAIK, that's about the best you can do with the DNS configuration. You've
mitigated the amplification value, so hopefully the perpetrator(s) will drop
you. If you're willing to keep up with the moving targets, the next level
is an inbound packet filter. Add to your inbound ACL:

deny udp host neq 53 any eq 53

  Which pre-supposes that os not emitting queries of
  its own.

  BCP 140 looked at this problem and concluded that sending
  REFUSED was the best general guidance that can be given.
  While BCP 140 applies to recursive servers, returning REFUSED
  to queries which are not within the namespace served by
  authoritative servers is entirely consistant with BCP 140.

Also on this topic:
Coincident with this DNS DOS, I started seeing inbound PTR queries from
various hosts on (which are blackholed by my DNS servers).
They receive no response, yet they persist. Anyone have thoughts on their
part in the scheme?

  If you don't implement BCP 38 you don't block bogus traffic.

  Unless you are using then you aren't implementing
  BCP 38 either. If you were you wouldn't be seeing queries from


Agree. Thank you for catching that. I should have elaborated that one
must be very judicious about adding ACLs for the reasons you mentioned.
One of the DOS victims had explicitly said not to expect queries from two
of the recent targets, but yeah, not necessarily a good plan in the general

Best wishes,
Nate Itkin