port 53 under attack

Matthew Seaman matthew at FreeBSD.org
Thu Jun 4 06:39:36 UTC 2015 

On 04/06/2015 00:03, joeb1 wrote:
> My firewall blocks unsolicited inbound traffic on port 53. I realize
> this is the DNS port. But I am getting over 200K  hits per day from ip
> addresses from all over the world. My host has a dynamic ip address. Is
> there any valid reason for this to be happening?

The usual reason for this sort of traffic is using the DNS as a traffic
amplifier.  The bad guys can send a small request eg for

   'IN NS .'

and get a response listing all the root nameservers, which is very much
larger.  Couple that with the UDP nature of DNS lookups, meaning it is
simple to put a fake from address on the DNS packets, and the response
is easily directed towards the target of choice.

The cure for this is not to run an open resolver.  DNS servers come in
two different flavours:

   authoritative:  which will respond to queries from anywhere in the
      net, but only for the zones they hold the data for.

   recursive:  will respond to a limited range of clients for queries
      about any data in the DNS.

Depending on the role your nameserver is performing[*], you'll need
different configurations for either of these.  You should also control
network traffic to port 53 using firewall rules appropriately for either
case: for instance, for a recursive resolver handling queries from hosts
inside your firewall (probably the most common scenario) you can use a
stateful firewall rule that triggers on the first /outgoing/ DNS packet,
but that denies query initiation from inside.

See:

 https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks

for a more in-depth discussion and links to documents showing how to
configure either type of resolver securely.

	Cheers,

	Matthew

[*] It's a really bad idea to try and configure a resolver to do both
recursive and authoritative roles.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150604/86504b3f/attachment.sig>

More information about the freebsd-questions mailing list