disabling "Any" requests
bortzmeyer at nic.fr
Fri Jul 13 09:14:42 UTC 2012
On Fri, Jul 13, 2012 at 10:26:55AM +0200,
Dns Administrator <dnsadmdns at gmail.com> wrote
a message of 186 lines which said:
> Googling the issue I found that it was well known and had something
> to do with dns amplification and denial of service.
Yes. Already discussed a lot on this list and on dns-operations.
> maybe the isc folks had implemented some sort of configuration
> option which could control this
You can do it outside of the name server, also. For instance, on
Linux, if the QNAME is fixed, let's say 'bad.example':
2) Run it with the proper options:
rule=$(python generate-netfilter-u32-dns-rule.py --qname bad.example --qtype ANY)
3) Use the output in a Netfilter rule:
iptables -A INPUT -p udp --dport 53 --match u32 --u32 "$rule" -j RATELIMITER
iptables -A RATELIMITER -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
> But as so rightly pointed out the scamps who engage in this sort of
> foolishness would also be aware of this and change their scripts
My experience is that they don't do it immediately. Bad guys are
human, not demi-gods. Most attacks have obvious optimisations they do
not even use. A bad attitude in security is dismissing a partial and
limited solution because "attackers will adapt" while the reality is
that, even if they do, you'll have buy time.
Typical example: email greylisting, which works very well for many
years while several naysayers repeated "it's no good because the
spammers will adapt".
More information about the bind-users