DDOS prevention - how to restrict queries to hint (root) zones?

David Forrest drf at maplepark.com
Tue Feb 3 16:29:52 UTC 2009

On Tue, 3 Feb 2009, Mark Andrews wrote:

> In message <1233658532.12933.42.camel at muccalla.uninsubria.it>, MAtteo HCE Valsa
> sna writes:
>> hi all,
>> We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
>> package), that do both recursive queries for internal clients (with
>> proper allow-recursion clause) and authoritative servers for the
>> institution's domain.
>> There are reports of DDOS attacks based on DNS requests for the root
>> zone with spoofed source IP address:
>> * the attacker sends a request for the root zone with spoofed source
>> address to a DNS server
>> * The intermediate victim (DNS server) sends the reply packet -
>> significatively larger than the request - to the ultimate victim (the
>> owner of the spoofed source IP address in the request packet).
>> * the ultimate victim connection is flooded
>> http://isc.sans.org/diary.html?storyid=5773
>> I verified that our servers reply when queried from a non-trusted source
>> address for the root zone. (and we must also notice that the
>> "non-trusted source address" argument is pretty pointless when dealing
>> with spoofed source addresses: if a query with a spoofed internal source
>> address could reach the server, the server would just DDOS an internal
>> machine. But we do discard inbound packets with internal source IP
>> addresses on the network border).
>> The first answer to this threat would be to disallow queries for the
>> root zone would for any client (the root zone is used only by the server
>> itself, right?).
>> * Do you think there is any reason NOT do do this?
>> * Do you know a simple way to do this?
>>         the trivial solution of adding an allow-query clause to the root
>>         zone definition is refused by the server, as hint type zones
>>         cannot have an allow-query clause - see
>>         https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
>>         there is possibly a way to do this using views, but...
>>         anything simpler?
> 	options {
> 		allow-query { recusrsive-clients; };
> 		allow-recursion { recusrsive-clients; };
> 	};
> 	zone {
> 		type (slave|master);
> 		...
> 		allow-query { any; };
> 	};
> 	Or upgrade to BIND 9.4 or later and use allow-query-cache,
> 	BIND 9.3 is past end-of-life.
> 	Mark
>> best regards and thanks for any answer
>> MAtteo Valsasna

Using allow-query to deny some queries still takes time and resources from 
your server as it then sends a "denied" message back to the query source. 
As the source is spoofed it then contributes in a small way to the DDoS 
attack.  I think it is better to just drop the queries on your firewall. 
I found this entry for iptables on the list a while back and it works 
well and drops around a thousand queries a day.

iptables -A INPUT -i $LOCALIF -j DROP -p udp --dport domain -m u32 --u32  "0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001"

David Forrest 
St. Louis, Missouri

More information about the bind-users mailing list