first, make sure that your DNS server does not allow direct recursion for anyone. Just allow recursion for trusted networks that you know. This will send a servfail to the target of the attack (some kind of Russian SEO business). If you are at this state, you’re ok. Check the link in the post above for a tool that checks your DNS server for this and infomation on how to configure Bind to disable recursion for anyone.

You can go a step further, though. And that is what I’m describing above. The failserv is still data, that you send out and traffic, you have to pay for. fail2ban (http://www.fail2ban.org/) is a software, that monitors log files and uses regular expressions to check for certain patterns. It then blocks IPs that match these patterns using iptables or another firewall. Check it out, it’s quite straight forward. You can also use it for Bind, you just need to use another regular expression that fits the log messages you’re getting. If you’re lucky, Bind is supported out of the box, but I’m not sure at the moment.

If you’ve got more control over your network, you can even block routing of this traffic at router or switch level directly, which is much more effective. Or ask your colo/upstream provider to do it for you.

Searching the IP 62.109.4.89 in google found your page here…

Reading the story here i’m not that disturbed. But it just someone is requesting these dns queries to an target.

So what can we do with fail2ban ? Does it work for bind as well ?

- Martijn