0

I have a Linux bind DNS Server which is being targeted in a DNS Amplification attack.
I have applied DNS Response Rate Limiting and blocking of source IP Addresses, which has solved the immediate problem of excessive IP traffic from the server. Packet Capture of the remaining DNS Traffic on the server shows the two most requested domains. isc.org and peacecorps.gov

In many hours of Google Searching and reading I have come across the following IP Tables snippet. '''-A INPUT -i eno1 -p udp -m udp --dport 53 -m string --hex-string "|0A|peacecorps|03|gov|" --algo bm -j DROP'''

The issue that I have is that my Servers uses firewalld which uses nftables in the background. firewalld has a direct mode that I am attempting to utilize however I cannot get the syntax correct.

With the Rate Limiting (and Fail2Ban) in place the DNS Server is ignoring the repeated requests. I would like to have one more hurdle in their way.

Thanks.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Dale
  • 11
  • 1

2 Answers2

1

The answer to my question is:- firewall-cmd --direct --add-rule ipv4 filter INPUT 10 -i ens192 -p udp -m udp --dport 53 -m string --hex-string "|0A|peacecorps|03|gov|" --algo bm -j DROP

The answer was found at https://github.com/firewalld/firewalld/issues/527

Thanks.

Dale
  • 11
  • 1
0

Do you really need to enable recursion in your DNS server to public IPs?

  • If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
  • If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
  • If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks.

If you use Bind as DNS server, you can set up an ACL to restrict recursive queries to your internal network. The recommended method is to create ACLs that match hosts that should be allowed access to cache and recursion on the servers. For example, if you wanted to provided recursion and access to the cache to clients you trusted, you could list them in an ACL such as the following:

acl "lan" {
     192.168.1.0/24;
     10.1.0.0/16;
     localhost;
     localnets;
 };
 
 options {
     ...
     allow-query { any; };
     allow-recursion { lan; };
     allow-query-cache { lan; };
     ...
 };

This example ACL includes 192.168.1.0/24 and 10.1.0.0/16 as sample networks that would require access. You must replace these sample networks with networks that correctly reflect your environment. This will allow anyone to query your server for authoritative data, but only those hosts within the "trusted" ACL access to your cache and recursion.

Jesús Ángel
  • 518
  • 1
  • 6
  • Unfortunately the script bunnies cannot see the "recursion no;" line in the config! – Dale Nov 15 '20 at 22:12