Kostas Zorbadelos <kzo...@otenet.gr> writes: > there is a need to restrict a specific type of DNS queries (ANY queries) > in our nameservers. We faced a DDoS attack in our resolvers and the > thing is that we could not simply cut access to DNS resolution to > specific client IPs, the queries came from our own unsuspecting > customers.
My first impulse when reading the sans diary item was to rate-limit, possibly via the overload table mechanism, and if not blocking them outright perhaps put the DNS requests from the overloads in a minimal-bandwidth queue. That may or may not be appropriate to your context, and I suspect detection may be the main priority. While string matching in PF is not an option, I vaguely remember snort users coming up with patterns to match earlier DNS tomfoolery, so there's a chance you may be able to get useful info and possibly even a working snort setup to deal with this one. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.