![]() ![]() Therefore, you should always restrict the DNS server query and check this regularly. ![]() The large number of response packets is not sent to the attacker, but to the victim, who has the same IP address as the fake sender IP address of the DNS request. The attacker then sends many small DNS UDP packets with faked sender IP address and asks for DNS entries that are very extensive and therefore require many response packets. However, you should be careful before or during the conversion: a recursive resolver can be used for amplifying attacks, since DNS queries can be made via a small UDP packet and the senders of UDP packets can easily be faked. The migration requires removing the DNS forwarders in the UCR configuration and disabling the DNS fake root zone: # ucr unset dns/forwarder1 dns/forwarder2 dns/forwarder3 DNS requests are then no longer forwarded to the internet provider, but the UCS DNS server is traversing through the DNS hierarchy via the DNS root servers until it receives a response to its request. The solution can be to configure the local UCS DNS server on the mail system as a “recursive resolver”. As a rule, the DNS servers of the provider quickly exceed the request limit and are blocked, so that the UCS DNS server no longer receives meaningful DNS responses. All DNS queries that the UCS DNS server cannot answer directly from its LDAP or cache are forwarded directly to the internet provider, who then queries the DNS blacklist, for example. With a low-volume mail server another problem usually occurs: the DNS server of the provider is used as forwarding server. If you really operate a high-volume mail server, it may be unavoidable to have your IP address reactivated by paying a fee to the DNS blacklist operator. If the number of queries exceeds the limit, the requesting IP address is blocked. Various DNS blacklist operators have defined query limits that restrict requests from a single IP address. The fact that spamassassin does not use any/only some DNS blacklists can be recognized, for example, by the fact that the test URIBL_BLOCKED is listed in the mail header X-Spam-Status. Problem: spamassassin does not seem to use DNS blacklists and therefore has a poor detection rate ![]()
0 Comments
Leave a Reply. |