3

I am using PowerDNS Recursor in local ISP environment. Recursion is allowed only from our IP range but I've came with strange issue. Our own customers PC keeps attacking our DNS server with queries like:

15:43:38.473842 IP [CLIENT_IP].51097 > [DNSSERVER_IP].domain: 42318+ A? qhmrazabkvghwtgv.www.dl26.com. (47)
15:43:38.474161 IP [CLIENT_IP].40825 > [DNSSERVER_IP].domain: 14848+ A? yzqxqtklodgzuv.www.dl26.com. (45)
15:43:38.474443 IP [CLIENT_IP].34094 > [DNSSERVER_IP].domain: 35692+ A? inahybijsvqt.www.sf97.net. (43)
15:43:38.474953 IP [CLIENT_IP].39432 > [DNSSERVER_IP].domain: 7105+ A? kpkfgrsxihst.www.tpa.net.cn. (45)

Remote domain is almost always .cn one but the rest of domain name keeps changing. The easiest solution is to add hashlimit based rule on iptables but clients are behind NAT so traffic coming to DNS is marked with concentrator IP. I've tried also using spywaredomains zone but remote domain keeps changing so I cant really block it. The number of requests with SPAM domains cause PowerDNS Cache to overgrow and is also greatly increasing remote_timeout count. Is there any way to defend against such traffic and make DNS work like a charm again?

peterh
  • 4,914
  • 13
  • 29
  • 44
sihill
  • 33
  • 2
  • 1
    You're trying to treat a symptom of the problem instead of the cause of the problem. What you ought to be doing is figuring out why the client is doing this. – joeqwerty Mar 17 '14 at 15:28
  • Most of clients are not related to IT and PC cleaning can take much time. You can't also force them to do such a thing, so securing DNS looks like the best option for me. – sihill Mar 17 '14 at 15:50
  • 3
    Unless the client's computer is infected with malware, which it sounds like in this case, in which case you're chasing your tail. If the clients computer is infected with malware then you're not fixing the problem, you're fixing a symptom of the problem. – joeqwerty Mar 17 '14 at 18:49
  • To add, if you are aware that your client is/may be infected with malware and you neither a) notify them in order that they may correct it or b) block their access then **you** are contributing to the spread of the malware/spam/whatever else it's doing. –  Mar 17 '14 at 21:03
  • Sure thing that they were notified, however can we stick to topic which is all about securing PDNS? – sihill Mar 17 '14 at 21:14

3 Answers3

5

This is one of the distributed attacks against authoritative DNS servers that has been seen in the wild lately. (not to be confused with the more popular DNS amplification attacks) The victims are the nameservers responsible for the domain nearest the TLD -- tpa.net.cn, sf97.net, etc. The attack strategy is to generate queries that will not be cached.

This is not simply a matter of blocking an individual client. If you're seeing this, it generally is a symptom of one of the following factors:

  • You are operating an "open resolver", a caching DNS server that is accessible to the general internet.
  • Your customers are operating open resolvers and forwarding queries to your nameservers. (this is more common than most people think)

In my experience you need to identify which of these is the case and take steps to reduce the abuse vectors into your network.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Thank you very much, that looks very possible to me because it is common this days that everyone has its own Access Point with DNS Resolver. My own DNS is configured to allow recursion only for our IP range. – sihill Mar 18 '14 at 13:16
5

From http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/:

many PowerDNS installations on Linux are configured to consume (far) more filedescriptors than are actually available ... To fix, there are four options:

  1. Reduce max-mthreads to 512 (or threads to 1 and max-mthreads to 1024) (max-mthreads was introduced in Recursor 3.2; but if you arerunning a version that old, please upgrade it!)
  2. Run ‘ulimit -n 32768′ before starting (perhaps put this in /etc/init.d/ script). There’s little reason to skip on this number.
  3. Investigate defaults in /etc/security/limits.conf
  4. Apply the patch in https://github.com/Habbie/pdns/commit/e24b124a4c7b49f38ff8bcf6926cd69077d16ad8

From http://blog.powerdns.com/2014/04/03/further-dos-guidance-packages-and-patches-available/ (paraphrasing):

Install recursor from git head (snapshots at various URLs listed in the article or find one yourself at https://autotest.powerdns.com/), or in time, released versions 3.5.4 or up. Then set server-down-max-fails to a suitable number. We recommend 32, or 16 when under heavy attack.

Habbie
  • 745
  • 3
  • 9
3

What you can do is block that client from getting to the name server. An alternative solution would be to clean the client system(s). Personally I suggest doing the second thing, the first thing would only be nice if you redirect the client to an IP that has a page warning them and helping them to solve the issue.

Mark
  • 31
  • 1