1 Jan
2003
1 Jan
'03
11:49 p.m.
On Wed, 1 Jan 2003, Avleen Vig wrote:
Tracing back an IP from bind logs to see which name servers looked up an attacked address immediately before the attack started. This at leads to the offender's ISP which is a good start.
Relatively few people restrict the use of their name servers to only local users. More folks have been getting DNS servers from DHCP/Radius, but there are still a lot of users with hard-coded resolvers. There may be a few DNS resolvers which keep track of query sources, but more than likely you'll end up at another dead-end because the true source will be somewhere else. Let's add port 53 to the every growing list of ports to block.