On 7/8/2014 8:53 AM, Ruud Baart wrote: > > Tom Eastep schreef op 8-7-2014 17:35: >> On 7/8/2014 8:10 AM, Ruud Baart wrote: >> >>> Tom Eastep schreef op 8-7-2014 16:55: >>>> On 7/8/2014 5:30 AM, Ruud Baart wrote: >>>>> Good day, >>>>> >>>>> I have a problem in protecting one of our DNS severs (Debian, bind9). >>>>> One of our DNS servers is attacked with cache queries. Our servers are >>>>> protected the best way I can but this type of requests are coming from >>>>> everywhere and I can not find a effective way of stopping these queries. >>>>> >>>>> The queries look like these (tcpdump): >>>>> 14:17:52.521563 IP 36.234.214.186.7824 > <my DNS server>.53: 47574+ A? >>>>> kjaveb.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70) >>>>> 14:17:52.522458 IP 72.37.49.70.49040 > <my DNS server>.53: 17713+ A? >>>>> mdsfcn.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70) >>>>> 14:17:52.523229 IP <my DNS server>.53 > 36.234.214.186.7824: 47574 >>>>> Refused- 0/0/0 (70) >>>>> 14:17:52.523313 IP <my DNS server>.53 > 72.37.49.70.49040: 17713 >>>>> Refused- 0/0/0 (70) >>>>> I can't find a pattern in the banned IP addresses: they don't belong to >>>>> one or a few IP address blocks. >>>>> >>>>> So my question: is there a way to drop DNS query cache requests with >>>>> shorewall without interfering the intended DNS service? >>>> Which Shorewall version are you running? >>>> >>> 4.5.5.3 >>> >>> But a upgrade is no problem >>> >>> >> Assuming that all of the queries contain the string "fsf.crayumm.com", >> then on a 4.6 Shorewall version (such as found in Debian testing), you >> can use a rule such as this one: >> >> IPTABLES(DROP) net xxx udp 53 ; -m string --string "fsf.crayumm.com" >> >> where xxx is the zone where your DNS server is running. > > The queries contain all different domainnames, no pattern. As far as > I can see the only common ground is the recursion desired flag in the > UDP DNS query request (in wireshark: ...1 .... .... = Recursion > desired: Do query recursively). As far as I know normal client don't > set the recursion flag. Is it possible and meaningful to block all > these packets (from non trusted hosts)?
Your internal clients will set that flag -- legitimate external clients
will not.
According to some references I've found on the web, this string match
should block them:
IPTABLES(DROP) net xxx udp 53 : -m string --from 50\
--algo bm --hex-string '|0000FF0001|'
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
