Block subnet from accessing DNS server VinceV <vpv[ at ]ak7.com> 5/24/2007 4:10:51 PM I'm experiencing a potential DoS attack from a group of servers on a local subnet controlled by the UNIX group. These servers are requesting a lookup of the same addresses every 10 seconds and putting a considerable load on the Windows DNS servers. My request to have those servers pointed to the appropriate DNS server has fallen on deaf ears so I'd like to determine how to block them. If I were running BIND I'd create a zone and simply ignore their requests. Unfortunately the Windows Server 2003 DNS service lacks that capability. Any suggestions? VinceV

Re: Block subnet from accessing DNS server "Michael Dragone" <no.e-mail=less_spam> 5/24/2007 4:39:41 PM Perhaps block their IP addresses on a router in your control between you and them. Or use IPSec filtering on your Windows box. "VinceV" <vpv[ at ]ak7.com> wrote in message news:1180023051.182246.158060[ at ]u30g2000hsc.googlegroups.com... [Quoted Text] > I'm experiencing a potential DoS attack from a group of servers on a > local subnet controlled by the UNIX group. These servers are > requesting a lookup of the same addresses every 10 seconds and putting > a considerable load on the Windows DNS servers. > > My request to have those servers pointed to the appropriate DNS server > has fallen on deaf ears so I'd like to determine how to block them. > > If I were running BIND I'd create a zone and simply ignore their > requests. Unfortunately the Windows Server 2003 DNS service lacks > that capability. > > Any suggestions? > > VinceV

Re: Block subnet from accessing DNS server "sk" <nobody[ at ]nowhere.foobar> 5/25/2007 10:41:54 AM [Quoted Text] > Perhaps block their IP addresses on a router in your control between > you and them. Or use IPSec filtering on your Windows box. Seconded; the IPSec filtering may be a quick and effective solution to this issue; it will just be a matter of dropping UDP and TCP traffic to your DNS port 53 if the traffic comes from the undesired subnets and this kind of filtering will not overload your machine nor you'll need to install additional software to perform it, so.. go for it; if you aren't sure how to add IPSec filtering, this may be a good starting point http://www.microsoft.com/technet/network/ipsec/default.mspx or you may ask further infos/details here (although somewhat OT)

Re: Block subnet from accessing DNS server "Herb Martin" <news[ at ]learnquick.com> 5/25/2007 11:14:13 AM "VinceV" <vpv[ at ]ak7.com> wrote in message news:1180023051.182246.158060[ at ]u30g2000hsc.googlegroups.com... [Quoted Text] > I'm experiencing a potential DoS attack from a group of servers on a > local subnet controlled by the UNIX group. These servers are > requesting a lookup of the same addresses every 10 seconds and putting > a considerable load on the Windows DNS servers. > > My request to have those servers pointed to the appropriate DNS server > has fallen on deaf ears so I'd like to determine how to block them. > > If I were running BIND I'd create a zone and simply ignore their > requests. Unfortunately the Windows Server 2003 DNS service lacks > that capability. > > Any suggestions? Consider carefully the other recommendations for using IPSec filters, which were offered by other responders. Many people incorrectly believe that IPSec filters must lead to USING IPSec itself -- this is not true -- those filters work to BLOCK or PASS traffic, even if you have no desire to negotiate actual IPSec. -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site)

Re: Block subnet from accessing DNS server "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 5/25/2007 12:28:41 PM Read inline please. In news:1180023051.182246.158060[ at ]u30g2000hsc.googlegroups.com, VinceV <vpv[ at ]ak7.com> typed: [Quoted Text] > I'm experiencing a potential DoS attack from a group of servers on a > local subnet controlled by the UNIX group. These servers are > requesting a lookup of the same addresses every 10 seconds and putting > a considerable load on the Windows DNS servers. > > My request to have those servers pointed to the appropriate DNS server > has fallen on deaf ears so I'd like to determine how to block them. > > If I were running BIND I'd create a zone and simply ignore their > requests. Unfortunately the Windows Server 2003 DNS service lacks > that capability. Blocking these servers may cause unintended consequences, I would be more inclined to first find out what the lookup is, why it keeps asking the Windows DNS and what answer it is looking for. Interesting to me is that it repeats the lookup every 10 seconds, this sounds like a forwarding loop, if it were anything else, the Windows DNS would send an NXDOMAIN, and the lookup would stop at least for the period of the TTL of the negative answer. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================