disabling "Any" requests

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Jul 13 09:14:42 UTC 2012


On Fri, Jul 13, 2012 at 10:26:55AM +0200,
 Dns Administrator <dnsadmdns at gmail.com> wrote 
 a message of 186 lines which said:

> Googling the issue I found that it was well known and had something
> to do with dns amplification and denial of service.

Yes. Already discussed a lot on this list and on dns-operations.

> maybe the isc folks had implemented some sort of configuration
> option which could control this

You can do it outside of the name server, also. For instance, on
Linux, if the QNAME is fixed, let's say 'bad.example':

1) Get
<http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py>

2) Run it with the proper options:

rule=$(python generate-netfilter-u32-dns-rule.py --qname bad.example --qtype ANY)

3) Use the output in a Netfilter rule:

iptables -A INPUT -p udp --dport 53 --match u32 --u32 "$rule" -j RATELIMITER

4) Rate-limit:

iptables -A RATELIMITER -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

> But as so rightly pointed out the scamps who engage in this sort of
> foolishness would also be aware of this and change their scripts
> accordingly

My experience is that they don't do it immediately. Bad guys are
human, not demi-gods. Most attacks have obvious optimisations they do
not even use. A bad attitude in security is dismissing a partial and
limited solution because "attackers will adapt" while the reality is
that, even if they do, you'll have buy time.

Typical example: email greylisting, which works very well for many
years while several naysayers repeated "it's no good because the
spammers will adapt".







More information about the bind-users mailing list