From owner-freebsd-questions@FreeBSD.ORG Thu Jun 4 06:39:36 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25C8C583 for ; Thu, 4 Jun 2015 06:39:36 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BB2C61E7B for ; Thu, 4 Jun 2015 06:39:35 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t546dMeI092932 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 4 Jun 2015 07:39:23 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t546dMeI092932 Authentication-Results: smtp.infracaninophile.co.uk/t546dMeI092932; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6] claimed to be liminal.local Message-ID: <556FF291.7070007@FreeBSD.org> Date: Thu, 04 Jun 2015 07:39:13 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: port 53 under attack References: <556F87A6.8090105@a1poweruser.com> In-Reply-To: <556F87A6.8090105@a1poweruser.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="0hkhkKJuRd4cepnhpPRSn8Vq7USB8jX6W" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2015 06:39:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0hkhkKJuRd4cepnhpPRSn8Vq7USB8jX6W Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 04/06/2015 00:03, joeb1 wrote: > My firewall blocks unsolicited inbound traffic on port 53. I realize > this is the DNS port. But I am getting over 200K hits per day from ip > addresses from all over the world. My host has a dynamic ip address. Is= > there any valid reason for this to be happening? The usual reason for this sort of traffic is using the DNS as a traffic amplifier. The bad guys can send a small request eg for 'IN NS .' and get a response listing all the root nameservers, which is very much larger. Couple that with the UDP nature of DNS lookups, meaning it is simple to put a fake from address on the DNS packets, and the response is easily directed towards the target of choice. The cure for this is not to run an open resolver. DNS servers come in two different flavours: authoritative: which will respond to queries from anywhere in the net, but only for the zones they hold the data for. recursive: will respond to a limited range of clients for queries about any data in the DNS. Depending on the role your nameserver is performing[*], you'll need different configurations for either of these. You should also control network traffic to port 53 using firewall rules appropriately for either case: for instance, for a recursive resolver handling queries from hosts inside your firewall (probably the most common scenario) you can use a stateful firewall rule that triggers on the first /outgoing/ DNS packet, but that denies query initiation from inside. See: https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks for a more in-depth discussion and links to documents showing how to configure either type of resolver securely. Cheers, Matthew [*] It's a really bad idea to try and configure a resolver to do both recursive and authoritative roles. --0hkhkKJuRd4cepnhpPRSn8Vq7USB8jX6W Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJVb/KXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATnugQAICyp6D0gmc6Quzl9jZI8QJ+ nDz8oHYojUdyd4LzunNJCo1nGgb2TXrbr2qnpnzXs5VciQbvDcStrGwKCNTs1/hu 1WFKwBx/M5zbSxKj/W8zzbqg3VwarhghbeCwvb1r1gPExeVeyEels089CoDBYJ9d cQVY5PhvEMsaEkP8sinspU9qNKABHUs3aUTcBxPQ3q9vj9C58c7TfgCQqDRI7A6U NRDv2LbHXjfmRM2yNZt2/XZg0RMBMRURX5IVWKG1OICy9J8lD0o43JjHsEQyd/TP ZG1viIRu80frgCwTQjt3jRk8XzSthLoaS7W8QGZqMxp3/aneT2NyT9gjrqfzvqdT a6DR1+pP82lTbY1rBIop1raoUM8leprZ1olLDgjPv9XeEhPE9kxlvHiIUGfU6vjz g+y9B1Rl0DXRuWsIQmS7llwPsIYBwUAf0ujqKQ4l4ypYdB/b1WBSkFcmtb3APmon j6eUqdwHCwhNr4KaPndKHSAsQJNbGu7nV++RH8aMIZenF+em8NBDRsaH1zJNr0WI p215MYFEQ5MD+zvGyccUEUcs96JUL4YlObHMZ2Tk8A0N/jbFKIZgRWp7eqzUIYrJ MCotrg068eqBKb3H6fxz6vc4IflFqck/vFYIgHeZGtG77TRpWXejo70UAcL+iHFU Mnk0WjTAjnEBLWL3XE4k =7/Ss -----END PGP SIGNATURE----- --0hkhkKJuRd4cepnhpPRSn8Vq7USB8jX6W--