We have authoritative DNS servers for our public domain in our DMZ that are being hit with some DNS requests for a domain that we do not own. UDP traffic, src port 80, dst port 53. My DNS servers are responding with "Refused RRSIG" for the domain being requested.
I've confirmed via https://openresolver.com/ that my DNS servers are not recursive resolvers.
I do see some other traffic similar to this(UDP, src port 80 and dst port 53) that Snort drops as DNS Amplification attacks, but not this one for example.
I'm considering blocking anything source port 80 and destination port 53 to these DNS servers.
Should I be considering something else?
No comments:
Post a Comment