Date: Thu, 04 Jun 2015 10:32:42 -0700 From: Dennis Glatting <freebsd@pki2.com> To: Ernie Luzar <luzar722@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: port 53 under attack Message-ID: <1433439162.48400.0.camel@pki2.com> In-Reply-To: <55706FCF.9050904@gmail.com> References: <556F87A6.8090105@a1poweruser.com> <556FF291.7070007@FreeBSD.org> <55706FCF.9050904@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2015-06-04 at 11:33 -0400, Ernie Luzar wrote: > On 6/4/2015 2:39 AM, Matthew Seaman wrote: > > On 04/06/2015 00:03, joeb1 wrote: > >> My firewall blocks unsolicited inbound traffic on port 53. I realize > >> this is the DNS port. But I am getting over 200K hits per day from ip > >> addresses from all over the world. My host has a dynamic ip address. Is > >> there any valid reason for this to be happening? > > The usual reason for this sort of traffic is using the DNS as a traffic > > amplifier. The bad guys can send a small request eg for > > > > 'IN NS .' > > > > and get a response listing all the root nameservers, which is very much > > larger. Couple that with the UDP nature of DNS lookups, meaning it is > > simple to put a fake from address on the DNS packets, and the response > > is easily directed towards the target of choice. > > > > The cure for this is not to run an open resolver. DNS servers come in > > two different flavours: > > > > authoritative: which will respond to queries from anywhere in the > > net, but only for the zones they hold the data for. > > > > recursive: will respond to a limited range of clients for queries > > about any data in the DNS. > > > > Depending on the role your nameserver is performing[*], you'll need > > different configurations for either of these. You should also control > > network traffic to port 53 using firewall rules appropriately for either > > case: for instance, for a recursive resolver handling queries from hosts > > inside your firewall (probably the most common scenario) you can use a > > stateful firewall rule that triggers on the first /outgoing/ DNS packet, > > but that denies query initiation from inside. > > > > See: > > > > https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks > > > > for a more in-depth discussion and links to documents showing how to > > configure either type of resolver securely. > > > > Cheers, > > > > Matthew > > > > [*] It's a really bad idea to try and configure a resolver to do both > > recursive and authoritative roles. > > > > > > I am NOT running a dns server. So all these inbound hits on port 53 is > just bad guys fishing for a open dns server and blocking them like I am > doing is the correct thing to do? > Don't send ICMP failures. Just drop the packets.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1433439162.48400.0.camel>