From owner-freebsd-questions@FreeBSD.ORG Thu Jun 4 17:33:05 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1BD5B179 for ; Thu, 4 Jun 2015 17:33:05 +0000 (UTC) (envelope-from freebsd@pki2.com) Received: from btw.pki2.com (btw.pki2.com [IPv6:2001:470:a:6fd::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 444AA1168 for ; Thu, 4 Jun 2015 17:33:03 +0000 (UTC) (envelope-from freebsd@pki2.com) Received: from localhost (localhost [IPv6:::1]) by btw.pki2.com (8.14.9/8.14.9) with ESMTP id t54HWgEB008576; Thu, 4 Jun 2015 10:32:42 -0700 (PDT) (envelope-from freebsd@pki2.com) DMARC-Filter: OpenDMARC Filter v1.3.1 btw.pki2.com t54HWgEB008576 Authentication-Results: btw.pki2.com; dmarc=none header.from=pki2.com DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pki2.com; s=pki2; t=1433439163; bh=TXOK8JX5dszyGwwBAKJgKjM8AFLvL75Rsr8kB/6uDtQ=; h=Subject:From:To:Cc:Date:In-Reply-To:References; z=Subject:=20Re:=20port=2053=20under=20attack|From:=20Dennis=20Glat ting=20|To:=20Ernie=20Luzar=20|Cc:=20freebsd-questions@freebsd.org|Date:=20Thu,=2004=20Jun=202 015=2010:32:42=20-0700|In-Reply-To:=20<55706FCF.9050904@gmail.com> |References:=20<556F87A6.8090105@a1poweruser.com>=0D=0A=09=20<556F F291.7070007@FreeBSD.org>=20<55706FCF.9050904@gmail.com>; b=tjRV9WeLl8ROujy7hCT8nXh0IOdDkQ04euR7kcviTmoTFylmJOeWtYzsqJlQictHF Q0Us/bSGCMFod9ufuud7vc7DNaqMLYkE39gFZJNajQVyI+UMfeQCWDfjLW7/Gsre3N Pij6gWxNpwaY/EFGXubmaoI1zm/z9T5//sXWzaY3RuIRFssgulVfyX4gvDSo4RKrAT BGwhC+SNJ/iXczSA8L36eHiW4eyUplaFUx4ZlBXSGsgsdQdFKXNJyd31OBHHZ9RYIU TKiuqpdT9axPc+uGfC098vO67BwTPcyqggxrFZvbo2RXl/p9F55mu7SVZebAlaRpRb kQAjtSxvnLuTA== Message-ID: <1433439162.48400.0.camel@pki2.com> Subject: Re: port 53 under attack From: Dennis Glatting To: Ernie Luzar Cc: freebsd-questions@freebsd.org Date: Thu, 04 Jun 2015 10:32:42 -0700 In-Reply-To: <55706FCF.9050904@gmail.com> References: <556F87A6.8090105@a1poweruser.com> <556FF291.7070007@FreeBSD.org> <55706FCF.9050904@gmail.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-SoftwareMunitions-MailScanner-Information: Dennis Glatting X-SoftwareMunitions-MailScanner-ID: t54HWgEB008576 X-SoftwareMunitions-MailScanner: Found to be clean X-MailScanner-From: freebsd@pki2.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2015 17:33:05 -0000 On Thu, 2015-06-04 at 11:33 -0400, Ernie Luzar wrote: > On 6/4/2015 2:39 AM, Matthew Seaman wrote: > > On 04/06/2015 00:03, joeb1 wrote: > >> My firewall blocks unsolicited inbound traffic on port 53. I realize > >> this is the DNS port. But I am getting over 200K hits per day from ip > >> addresses from all over the world. My host has a dynamic ip address. Is > >> there any valid reason for this to be happening? > > The usual reason for this sort of traffic is using the DNS as a traffic > > amplifier. The bad guys can send a small request eg for > > > > 'IN NS .' > > > > and get a response listing all the root nameservers, which is very much > > larger. Couple that with the UDP nature of DNS lookups, meaning it is > > simple to put a fake from address on the DNS packets, and the response > > is easily directed towards the target of choice. > > > > The cure for this is not to run an open resolver. DNS servers come in > > two different flavours: > > > > authoritative: which will respond to queries from anywhere in the > > net, but only for the zones they hold the data for. > > > > recursive: will respond to a limited range of clients for queries > > about any data in the DNS. > > > > Depending on the role your nameserver is performing[*], you'll need > > different configurations for either of these. You should also control > > network traffic to port 53 using firewall rules appropriately for either > > case: for instance, for a recursive resolver handling queries from hosts > > inside your firewall (probably the most common scenario) you can use a > > stateful firewall rule that triggers on the first /outgoing/ DNS packet, > > but that denies query initiation from inside. > > > > See: > > > > https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks > > > > for a more in-depth discussion and links to documents showing how to > > configure either type of resolver securely. > > > > Cheers, > > > > Matthew > > > > [*] It's a really bad idea to try and configure a resolver to do both > > recursive and authoritative roles. > > > > > > I am NOT running a dns server. So all these inbound hits on port 53 is > just bad guys fishing for a open dns server and blocking them like I am > doing is the correct thing to do? > Don't send ICMP failures. Just drop the packets.