Date: Thu, 04 Jun 2015 11:33:35 -0400 From: Ernie Luzar <luzar722@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: port 53 under attack Message-ID: <55706FCF.9050904@gmail.com> In-Reply-To: <556FF291.7070007@FreeBSD.org> References: <556F87A6.8090105@a1poweruser.com> <556FF291.7070007@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/4/2015 2:39 AM, Matthew Seaman wrote: > On 04/06/2015 00:03, joeb1 wrote: >> My firewall blocks unsolicited inbound traffic on port 53. I realize >> this is the DNS port. But I am getting over 200K hits per day from ip >> addresses from all over the world. My host has a dynamic ip address. Is >> there any valid reason for this to be happening? > The usual reason for this sort of traffic is using the DNS as a traffic > amplifier. The bad guys can send a small request eg for > > 'IN NS .' > > and get a response listing all the root nameservers, which is very much > larger. Couple that with the UDP nature of DNS lookups, meaning it is > simple to put a fake from address on the DNS packets, and the response > is easily directed towards the target of choice. > > The cure for this is not to run an open resolver. DNS servers come in > two different flavours: > > authoritative: which will respond to queries from anywhere in the > net, but only for the zones they hold the data for. > > recursive: will respond to a limited range of clients for queries > about any data in the DNS. > > Depending on the role your nameserver is performing[*], you'll need > different configurations for either of these. You should also control > network traffic to port 53 using firewall rules appropriately for either > case: for instance, for a recursive resolver handling queries from hosts > inside your firewall (probably the most common scenario) you can use a > stateful firewall rule that triggers on the first /outgoing/ DNS packet, > but that denies query initiation from inside. > > See: > > https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks > > for a more in-depth discussion and links to documents showing how to > configure either type of resolver securely. > > Cheers, > > Matthew > > [*] It's a really bad idea to try and configure a resolver to do both > recursive and authoritative roles. > > I am NOT running a dns server. So all these inbound hits on port 53 is just bad guys fishing for a open dns server and blocking them like I am doing is the correct thing to do?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55706FCF.9050904>