port 53 under attack

Dennis Glatting freebsd at pki2.com
Thu Jun 4 17:33:05 UTC 2015 

On Thu, 2015-06-04 at 11:33 -0400, Ernie Luzar wrote:
> On 6/4/2015 2:39 AM, Matthew Seaman wrote:
> > On 04/06/2015 00:03, joeb1 wrote:
> >> My firewall blocks unsolicited inbound traffic on port 53. I realize
> >> this is the DNS port. But I am getting over 200K  hits per day from ip
> >> addresses from all over the world. My host has a dynamic ip address. Is
> >> there any valid reason for this to be happening?
> > The usual reason for this sort of traffic is using the DNS as a traffic
> > amplifier.  The bad guys can send a small request eg for
> >
> >     'IN NS .'
> >
> > and get a response listing all the root nameservers, which is very much
> > larger.  Couple that with the UDP nature of DNS lookups, meaning it is
> > simple to put a fake from address on the DNS packets, and the response
> > is easily directed towards the target of choice.
> >
> > The cure for this is not to run an open resolver.  DNS servers come in
> > two different flavours:
> >
> >     authoritative:  which will respond to queries from anywhere in the
> >        net, but only for the zones they hold the data for.
> >
> >     recursive:  will respond to a limited range of clients for queries
> >        about any data in the DNS.
> >
> > Depending on the role your nameserver is performing[*], you'll need
> > different configurations for either of these.  You should also control
> > network traffic to port 53 using firewall rules appropriately for either
> > case: for instance, for a recursive resolver handling queries from hosts
> > inside your firewall (probably the most common scenario) you can use a
> > stateful firewall rule that triggers on the first /outgoing/ DNS packet,
> > but that denies query initiation from inside.
> >
> > See:
> >
> >   https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks
> >
> > for a more in-depth discussion and links to documents showing how to
> > configure either type of resolver securely.
> >
> > 	Cheers,
> >
> > 	Matthew
> >
> > [*] It's a really bad idea to try and configure a resolver to do both
> > recursive and authoritative roles.
> >
> >
> 
> I am NOT running a dns server. So all these inbound hits on port 53 is 
> just bad guys fishing for a open dns server and blocking them like I am 
> doing is the correct thing to do?
> 

Don't send ICMP failures. Just drop the packets.

More information about the freebsd-questions mailing list