Preventing a particular type of nameserver abuse
Richard T.A. Neal
richard at richardneal.com
Mon Apr 12 22:55:59 UTC 2021
Grant Taylor wrote:
> You might be able to apply the same methodology to filter unwanted inbound queries to completely avoid sending the reply code at all.
That's exactly what I do - I have some code that's watching for a frequent occurrence of these sorts of queries and then adds a firewall rule for a predetermined amount of time to simply drop the incoming packets at the firewall - this prevents them from reaching BIND in the first place and thus consuming system resource on the BIND server. And I say "predetermined amount of time" because that rule is then removed after a period of time in case the abuse was "unintentional" (ahem), or in case it came from a system using a non-static IP (i.e. a different user may be using that IP now, so I don't want to block them).
As well as requests for IN ANY sl, I also get a huge number for IN ANY census.gov. As with "sl" it's an attack based on the premise that the query is very small when compared to the volume of data being sent by return. And bear in mind the IP address purporting to send the query could very well be spoofed since it's UDP traffic - i.e. the malicious actor is potentially trying to get your DNS server to participate in a DDOS DNS attack against a third party. So by dropping those requests at the firewall I'm helping to ensure that my BIND server isn't a participant in that attack.
More information about the bind-users