I have a business need to provide an open and recursive DNS. This DNS has of course been heavily abused by DNS amplification attacks, resulting in 5-10 Mbps sustained outbound load only caused by spoofed ANY requests. I thus had to find a solution to cope with this at least to a point where abuse is minimal. I'm assuming there are other people out there having the same problem, so I'd like to share my approach as it seems to be the only publicly shared approach that goes beyond the usual advice of "don't operate an open recursive DNS"... which isn't helpful at all.
I'm thus looking for approaches that allow me to maintain an operating open recursive DNS, while at the same time minimising the impact any attempted exploits might have.
Does anyone know of any other solutions?
My approach is simply to automate what I do by hand when I discover an amplification attack:
run tcpdump to determine the characteristics of the outgoing traffic. Once you've convinced yourself that it is indeed DNS ANY requests, capture them using e.g. this:
tcpdump -n udp dst port 53 | grep ANY
then use iptables to drop the outgoing traffic with said characteristics.
I discovered that the vast majority of script kiddies use what I can only surmise is some out of the box DNS amp template script which probably has a "insert destination port here" line... thus limiting the output to one specific target port. When that is the case, it's as simple as identifying that port, and blocking any UDP traffic that originates from port 53 (DNS) to that target port. Failing that, you can drop all traffic to destination IP addresses that your tcpdump has revealed to be "requesting" repeated ANY DNS queries - there's not much legitimate use of that anyway.
There is a chance that you block legitimate traffic with this, there also is a chance to still allow some abuse inbetween the tcpdump capture times. But that's a minor price to pay considering the alternative.