Good day, I have a problem in protecting one of our DNS severs (Debian, bind9). One of our DNS servers is attacked with cache queries. Our servers are protected the best way I can but this type of requests are coming from everywhere and I can not find a effective way of stopping these queries.
The queries look like these (tcpdump): 14:17:52.521563 IP 36.234.214.186.7824 > <my DNS server>.53: 47574+ A? kjaveb.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70) 14:17:52.522458 IP 72.37.49.70.49040 > <my DNS server>.53: 17713+ A? mdsfcn.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70) 14:17:52.523229 IP <my DNS server>.53 > 36.234.214.186.7824: 47574 Refused- 0/0/0 (70) 14:17:52.523313 IP <my DNS server>.53 > 72.37.49.70.49040: 17713 Refused- 0/0/0 (70) Bind security log: 08-Jul-2014 14:18:37.276 client 192.225.235.160#46655 (mxgbcfqdqdsh.www.fh1688.cn): query (cache) 'mxgbcfqdqdsh.www.fh1688.cn/A/IN' denied 08-Jul-2014 14:18:37.632 client 192.225.236.196#43452 (ibermzmjingh.www.fh1688.cn): query (cache) 'ibermzmjingh.www.fh1688.cn/A/IN' denied 08-Jul-2014 14:18:37.632 client 192.225.232.157#27740 (mzgrqlylyrsv.www.fh1688.cn): query (cache) 'mzgrqlylyrsv.www.fh1688.cn/A/IN' denied 08-Jul-2014 14:18:38.128 client 23.208.175.177#41119 (wjkrofctef.www.fh1688.cn): query (cache) 'wjkrofctef.www.fh1688.cn/A/IN' denied 08-Jul-2014 14:18:38.181 client 24.87.218.48#10407 (ibqlqzkheb.www.fh1688.cn): query (cache) 'ibqlqzkheb.www.fh1688.cn/A/IN' denied 08-Jul-2014 14:18:38.577 client 108.117.95.12#13816 (efml.www.fh1688.cn): query (cache) 'efml.www.fh1688.cn/A/IN' denied I have configured bind with rate limits, no recursion etc. And I have installed fail2ban. All these countermeasures are not sufficient. With extreme strict fail2ban rules I banned +/- 25.000 IP addresses in a few hours but the DNS cache queries still continue. fial2ban log: 2014-07-08 14:23:12,337 fail2ban.actions: WARNING [named-refused] Ban 23.49.193.58 2014-07-08 14:23:12,662 fail2ban.actions: WARNING [named-refused] Ban 66.190.8.57 2014-07-08 14:23:12,993 fail2ban.actions: WARNING [named-refused] Ban 24.6.177.245 2014-07-08 14:23:13,316 fail2ban.actions: WARNING [named-refused] Ban 24.252.152.111 2014-07-08 14:23:13,656 fail2ban.actions: WARNING [named-refused] Ban 25.145.60.69 2014-07-08 14:23:13,987 fail2ban.actions: WARNING [named-refused] Ban 24.249.113.165 2014-07-08 14:23:14,334 fail2ban.actions: WARNING [named-refused] Ban 24.213.230.250 2014-07-08 14:23:14,699 fail2ban.actions: WARNING [named-refused] Ban 23.217.118.188 2014-07-08 14:23:15,029 fail2ban.actions: WARNING [named-refused] Ban 23.228.90.135 2014-07-08 14:23:15,353 fail2ban.actions: WARNING [named-refused] Ban 24.181.151.152 2014-07-08 14:23:15,684 fail2ban.actions: WARNING [named-refused] Ban 24.42.26.21 I can't find a pattern in the banned IP addresses: they don't belong to one or a few IP address blocks. So my question: is there a way to drop DNS query cache requests with shorewall without interfering the intended DNS service? -- Met vriendelijke groeten/Regards, Tiswe/R.J. Baart Automatisering B.V. Ruud Baart Tel: +31 6 51318104 ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
