port 53 under attack

Ernie Luzar luzar722 at gmail.com
Thu Jun 4 15:33:31 UTC 2015

On 6/4/2015 2:39 AM, Matthew Seaman wrote:
> On 04/06/2015 00:03, joeb1 wrote:
>> My firewall blocks unsolicited inbound traffic on port 53. I realize
>> this is the DNS port. But I am getting over 200K  hits per day from ip
>> addresses from all over the world. My host has a dynamic ip address. Is
>> there any valid reason for this to be happening?
> The usual reason for this sort of traffic is using the DNS as a traffic
> amplifier.  The bad guys can send a small request eg for
>     'IN NS .'
> and get a response listing all the root nameservers, which is very much
> larger.  Couple that with the UDP nature of DNS lookups, meaning it is
> simple to put a fake from address on the DNS packets, and the response
> is easily directed towards the target of choice.
> The cure for this is not to run an open resolver.  DNS servers come in
> two different flavours:
>     authoritative:  which will respond to queries from anywhere in the
>        net, but only for the zones they hold the data for.
>     recursive:  will respond to a limited range of clients for queries
>        about any data in the DNS.
> Depending on the role your nameserver is performing[*], you'll need
> different configurations for either of these.  You should also control
> network traffic to port 53 using firewall rules appropriately for either
> case: for instance, for a recursive resolver handling queries from hosts
> inside your firewall (probably the most common scenario) you can use a
> stateful firewall rule that triggers on the first /outgoing/ DNS packet,
> but that denies query initiation from inside.
> See:
>   https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks
> for a more in-depth discussion and links to documents showing how to
> configure either type of resolver securely.
> 	Cheers,
> 	Matthew
> [*] It's a really bad idea to try and configure a resolver to do both
> recursive and authoritative roles.

I am NOT running a dns server. So all these inbound hits on port 53 is 
just bad guys fishing for a open dns server and blocking them like I am 
doing is the correct thing to do?

More information about the freebsd-questions mailing list