From owner-freebsd-questions@FreeBSD.ORG Thu Jun 4 15:33:31 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 259EF26F for ; Thu, 4 Jun 2015 15:33:31 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E079213CF for ; Thu, 4 Jun 2015 15:33:30 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by iebmu5 with SMTP id mu5so3666693ieb.1 for ; Thu, 04 Jun 2015 08:33:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=NSKWkVS7ChlUs5Gh4DO9hNw+E25FRgMUxj15LF3qIsg=; b=tXOuSPdbAa8GRR3tIYZgwC8lP/i0elDJos3Uhod1YxNWzFI3j5WP0l9JwWAUv8wpGj c0WnHvref7SV68Mrn6/d3E103Y9A8ErmCA3SR//5+izAqG/GqqD/+ZAkUJ9YWRGLvxgN 6Xk8DtnpO5dZU0qZV/XaVNwXfuhajmPlAbZcXeerYQcwb5zFj3EBnySTKEEG0GkihaRe WnhM8oxqTzFpCFt8pX7JoMGjpL4VQOXeyTBsiX4RpDReJGsEOhFycTOPgu+mwsKaMxlz wZJXGENoa1MHEP2BsavPaEbIaOcTZXh+q9ubGjODBN6+h3Glbovwx9HxTCAZNirUI+dv gTZA== X-Received: by 10.50.43.131 with SMTP id w3mr6075199igl.8.1433432010331; Thu, 04 Jun 2015 08:33:30 -0700 (PDT) Received: from [10.0.10.5] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id vk8sm14441239igb.4.2015.06.04.08.33.28 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Jun 2015 08:33:29 -0700 (PDT) Message-ID: <55706FCF.9050904@gmail.com> Date: Thu, 04 Jun 2015 11:33:35 -0400 From: Ernie Luzar User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: port 53 under attack References: <556F87A6.8090105@a1poweruser.com> <556FF291.7070007@FreeBSD.org> In-Reply-To: <556FF291.7070007@FreeBSD.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2015 15:33:31 -0000 On 6/4/2015 2:39 AM, Matthew Seaman wrote: > On 04/06/2015 00:03, joeb1 wrote: >> My firewall blocks unsolicited inbound traffic on port 53. I realize >> this is the DNS port. But I am getting over 200K hits per day from ip >> addresses from all over the world. My host has a dynamic ip address. Is >> there any valid reason for this to be happening? > The usual reason for this sort of traffic is using the DNS as a traffic > amplifier. The bad guys can send a small request eg for > > 'IN NS .' > > and get a response listing all the root nameservers, which is very much > larger. Couple that with the UDP nature of DNS lookups, meaning it is > simple to put a fake from address on the DNS packets, and the response > is easily directed towards the target of choice. > > The cure for this is not to run an open resolver. DNS servers come in > two different flavours: > > authoritative: which will respond to queries from anywhere in the > net, but only for the zones they hold the data for. > > recursive: will respond to a limited range of clients for queries > about any data in the DNS. > > Depending on the role your nameserver is performing[*], you'll need > different configurations for either of these. You should also control > network traffic to port 53 using firewall rules appropriately for either > case: for instance, for a recursive resolver handling queries from hosts > inside your firewall (probably the most common scenario) you can use a > stateful firewall rule that triggers on the first /outgoing/ DNS packet, > but that denies query initiation from inside. > > See: > > https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks > > for a more in-depth discussion and links to documents showing how to > configure either type of resolver securely. > > Cheers, > > Matthew > > [*] It's a really bad idea to try and configure a resolver to do both > recursive and authoritative roles. > > I am NOT running a dns server. So all these inbound hits on port 53 is just bad guys fishing for a open dns server and blocking them like I am doing is the correct thing to do?