Date: Thu, 04 Jun 2015 07:39:13 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: port 53 under attack Message-ID: <556FF291.7070007@FreeBSD.org> In-Reply-To: <556F87A6.8090105@a1poweruser.com> References: <556F87A6.8090105@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--0hkhkKJuRd4cepnhpPRSn8Vq7USB8jX6W
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 04/06/2015 00:03, joeb1 wrote:
> My firewall blocks unsolicited inbound traffic on port 53. I realize
> this is the DNS port. But I am getting over 200K hits per day from ip
> addresses from all over the world. My host has a dynamic ip address. Is=
> there any valid reason for this to be happening?
The usual reason for this sort of traffic is using the DNS as a traffic
amplifier. The bad guys can send a small request eg for
'IN NS .'
and get a response listing all the root nameservers, which is very much
larger. Couple that with the UDP nature of DNS lookups, meaning it is
simple to put a fake from address on the DNS packets, and the response
is easily directed towards the target of choice.
The cure for this is not to run an open resolver. DNS servers come in
two different flavours:
authoritative: which will respond to queries from anywhere in the
net, but only for the zones they hold the data for.
recursive: will respond to a limited range of clients for queries
about any data in the DNS.
Depending on the role your nameserver is performing[*], you'll need
different configurations for either of these. You should also control
network traffic to port 53 using firewall rules appropriately for either
case: for instance, for a recursive resolver handling queries from hosts
inside your firewall (probably the most common scenario) you can use a
stateful firewall rule that triggers on the first /outgoing/ DNS packet,
but that denies query initiation from inside.
See:
https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks
for a more in-depth discussion and links to documents showing how to
configure either type of resolver securely.
Cheers,
Matthew
[*] It's a really bad idea to try and configure a resolver to do both
recursive and authoritative roles.
--0hkhkKJuRd4cepnhpPRSn8Vq7USB8jX6W
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
iQJ8BAEBCgBmBQJVb/KXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATnugQAICyp6D0gmc6Quzl9jZI8QJ+
nDz8oHYojUdyd4LzunNJCo1nGgb2TXrbr2qnpnzXs5VciQbvDcStrGwKCNTs1/hu
1WFKwBx/M5zbSxKj/W8zzbqg3VwarhghbeCwvb1r1gPExeVeyEels089CoDBYJ9d
cQVY5PhvEMsaEkP8sinspU9qNKABHUs3aUTcBxPQ3q9vj9C58c7TfgCQqDRI7A6U
NRDv2LbHXjfmRM2yNZt2/XZg0RMBMRURX5IVWKG1OICy9J8lD0o43JjHsEQyd/TP
ZG1viIRu80frgCwTQjt3jRk8XzSthLoaS7W8QGZqMxp3/aneT2NyT9gjrqfzvqdT
a6DR1+pP82lTbY1rBIop1raoUM8leprZ1olLDgjPv9XeEhPE9kxlvHiIUGfU6vjz
g+y9B1Rl0DXRuWsIQmS7llwPsIYBwUAf0ujqKQ4l4ypYdB/b1WBSkFcmtb3APmon
j6eUqdwHCwhNr4KaPndKHSAsQJNbGu7nV++RH8aMIZenF+em8NBDRsaH1zJNr0WI
p215MYFEQ5MD+zvGyccUEUcs96JUL4YlObHMZ2Tk8A0N/jbFKIZgRWp7eqzUIYrJ
MCotrg068eqBKb3H6fxz6vc4IflFqck/vFYIgHeZGtG77TRpWXejo70UAcL+iHFU
Mnk0WjTAjnEBLWL3XE4k
=7/Ss
-----END PGP SIGNATURE-----
--0hkhkKJuRd4cepnhpPRSn8Vq7USB8jX6W--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?556FF291.7070007>