I keep getting attacks on my DNS servers from China I am trying to formulate a rule on my Cisco 5510 with ADSM 6.3 to drop this malicious traffic. it is all udp traffic I have been blocking ip ranges but i know there is a better fix.
here is an example packet I am seeing in wireshark -- I will get 1,000s of connection from this one host (in this case the 115 addr but it will just change if I block it) the request always seems to be for any and will roll through all of the domains I host.
102 0.064022 10.137.2.2 220.127.116.11 DNS 345 Standard query response 0x2132 SOA ns1.xxxt.net NS ns1.xxxt.net NS ns2.xxxt.net MX 10 ALT1.ASPMX.L.GOOGLE.com MX 20 ALT2.ASPMX.L.GOOGLE.com MX 0 ASPMX.L.GOOGLE.com TXT A xxx.xxx.48.215
My DNS Server is running CENTOS 5.5 and BIND 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.1
I am not familiar with the Cisco platform as much so any guidance or if you need more info let me know.
or will this ACL rule on bind work for the named.conf
Dont know if this helps but almost all the traffic comes from
CHINANET Zhejiang province network
No.31 ,jingrong street,beijing