port 53 under attack
freebsd at pki2.com
Thu Jun 4 17:33:05 UTC 2015
On Thu, 2015-06-04 at 11:33 -0400, Ernie Luzar wrote:
> On 6/4/2015 2:39 AM, Matthew Seaman wrote:
> > On 04/06/2015 00:03, joeb1 wrote:
> >> My firewall blocks unsolicited inbound traffic on port 53. I realize
> >> this is the DNS port. But I am getting over 200K hits per day from ip
> >> addresses from all over the world. My host has a dynamic ip address. Is
> >> there any valid reason for this to be happening?
> > The usual reason for this sort of traffic is using the DNS as a traffic
> > amplifier. The bad guys can send a small request eg for
> > 'IN NS .'
> > and get a response listing all the root nameservers, which is very much
> > larger. Couple that with the UDP nature of DNS lookups, meaning it is
> > simple to put a fake from address on the DNS packets, and the response
> > is easily directed towards the target of choice.
> > The cure for this is not to run an open resolver. DNS servers come in
> > two different flavours:
> > authoritative: which will respond to queries from anywhere in the
> > net, but only for the zones they hold the data for.
> > recursive: will respond to a limited range of clients for queries
> > about any data in the DNS.
> > Depending on the role your nameserver is performing[*], you'll need
> > different configurations for either of these. You should also control
> > network traffic to port 53 using firewall rules appropriately for either
> > case: for instance, for a recursive resolver handling queries from hosts
> > inside your firewall (probably the most common scenario) you can use a
> > stateful firewall rule that triggers on the first /outgoing/ DNS packet,
> > but that denies query initiation from inside.
> > See:
> > https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks
> > for a more in-depth discussion and links to documents showing how to
> > configure either type of resolver securely.
> > Cheers,
> > Matthew
> > [*] It's a really bad idea to try and configure a resolver to do both
> > recursive and authoritative roles.
> I am NOT running a dns server. So all these inbound hits on port 53 is
> just bad guys fishing for a open dns server and blocking them like I am
> doing is the correct thing to do?
Don't send ICMP failures. Just drop the packets.
More information about the freebsd-questions