我的 DNS 服务器速度达到 20mbps,为什么?

我的 DNS 服务器速度达到 20mbps,为什么?

我在 EC2 中运行 DNS 服务器,昨天它的速度约为 20mbps,当我检查我的计费仪表板时,发现本月使用了 1.86 TB 的数据。这对我的小型项目实验室来说是一笔不小的开支。我从未注意到性能下降,之前也没有费心设置流量阈值,但现在我注意到了,因为这花费了我 200 多美元的带宽费用。

似乎有人利用我的 DNS 服务器实施了放大攻击,但我不知道具体是怎么回事。

配置如下。

// BBB.BBB.BBB.BBB = ns2.mydomain.com ip address

options {
        listen-on port 53 { any; };
//      listen-on-v6 port 53 { ::1; };
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-transfer { BBB.BBB.BBB.BBB; };
        allow-query-cache { BBB.BBB.BBB.BBB; };
        allow-query { any; };
        allow-recursion { none; };

        empty-zones-enable no;
        forwarders { 8.8.8.8; 8.8.4.4; };

        fetch-glue no;
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "mydomain.com" IN {
        type master;
        file "zones/mydomain.com";
        allow-transfer { BBB.BBB.BBB.BBB; localhost; };
};

鉴于此配置,我不应该回答任何我不在本地托管的区域的查询,对吗?此服务器是一些域的 SOA,但不用于查找我的其他服务器的任何内容(每个人都针对 OpenDNS 或 Google 进行解析)。我在这里犯了什么指令错误,还是我忘记了?我的日志(63MB+)充满了以下内容:

client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied

答案1

即使您的服务器设置为仅回答权威查询,它仍有可能被用于放大攻击 -ANY针对区域根的查询可能会触发相当繁重的 UDP 响应,因为区域根往往具有许多记录,尤其是 SPF/DKIM/DNSSEC。

这很可能就是您的系统上正在发生的事情 - 请使用tcpdump进行确认。如果他们在放大攻击中使用您的权威记录,那么您最好的选择就是简单地移动到新 IP 并希望他们不会跟踪,更改您的区域根记录以使其成为效率较低的放大向量,或者实施响应速率限制(如果您的 BIND 支持它)。

相关内容