Seems there is a new DDoS in town. Seeing requests for ‘.’ against my DNS servers from an IP. Every minute or so. This will return a list of root name servers from the hints file on the DNS server. Not a massive amount of traffic… unless you are the spoofed recipient of this and consider how many DNS servers are now sending you copies of their DNS roots hint file :/
Ideally I would like to be able to tell BIND to ignore any requests for ‘.’ alas I cannot find a way to do that (anyone who knows how to do this on BIND 9.3.x please let me know. My damage limiting hack at the moment is to zero out the hints file itself. So querying ‘.’ gets you a blank response. Doesn’t stop the problem but the amount of data sent is that bit less. My servers are not recursive and should only be responding for zones they host so it shouldn’t cause me any issues not having a valid set of DNS roots.
Hopefully some bright spark will pop up with a nicer solution to this before this starts happening en-masse.
update : An alternative to this is to put ‘additional-from-cache no’ in your bind options, you will need recursion also disabled, so only really for an authoritative server. Will stop your server replying from the cache and respond with a ‘refused’, which whilst still data, isn’t of the same magnitude as the roots hint.