我在 EC2 中运行 DNS 服务器,昨天它的速度约为 20mbps,当我检查我的计费仪表板时,发现本月使用了 1.86 TB 的数据。这对我的小型项目实验室来说是一笔不小的开支。我从未注意到性能下降,之前也没有费心设置流量阈值,但现在我注意到了,因为这花费了我 200 多美元的带宽费用。
似乎有人利用我的 DNS 服务器实施了放大攻击,但我不知道具体是怎么回事。
配置如下。
// BBB.BBB.BBB.BBB = ns2.mydomain.com ip address
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-transfer { BBB.BBB.BBB.BBB; };
allow-query-cache { BBB.BBB.BBB.BBB; };
allow-query { any; };
allow-recursion { none; };
empty-zones-enable no;
forwarders { 8.8.8.8; 8.8.4.4; };
fetch-glue no;
recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "mydomain.com" IN {
type master;
file "zones/mydomain.com";
allow-transfer { BBB.BBB.BBB.BBB; localhost; };
};
鉴于此配置,我不应该回答任何我不在本地托管的区域的查询,对吗?此服务器是一些域的 SOA,但不用于查找我的其他服务器的任何内容(每个人都针对 OpenDNS 或 Google 进行解析)。我在这里犯了什么指令错误,还是我忘记了?我的日志(63MB+)充满了以下内容:
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
答案1
即使您的服务器设置为仅回答权威查询,它仍有可能被用于放大攻击 -ANY
针对区域根的查询可能会触发相当繁重的 UDP 响应,因为区域根往往具有许多记录,尤其是 SPF/DKIM/DNSSEC。
这很可能就是您的系统上正在发生的事情 - 请使用tcpdump
进行确认。如果他们在放大攻击中使用您的权威记录,那么您最好的选择就是简单地移动到新 IP 并希望他们不会跟踪,更改您的区域根记录以使其成为效率较低的放大向量,或者实施响应速率限制(如果您的 BIND 支持它)。