DNS Blocking

Mailman List Mirror (Read Only)
1

Hey guys,

I was recently hammered by someone making a ton of requests for a non-existent subdomain of a domain that I host. The requests were coming in from forged ips, and presumably being used to flood other people.

Because DNS is udp based, and the sender of the queries honestly didn't care about getting a response back, traditional firewalls were useless. I imagine a sniffing firewall that can look at the packet payloads would have been more useful, but I was wondering if anyone knew a way to better mitigate this type of attack.

I posted on comp.protocols.dns.bind, didn't get back anything of use. I posted on webhostingtalk, and got a pointer at the "securing bind" paper (which neither addresses the situation, nor includes anything to prevent it).

What I was basically asking for was a "silently drop queries for X-domain" option. But one doesn't exist in bind.

I know it's a little off-topic, but I'd appreciate any pointers.

-Dan Mahoney

2

danm@prime.gushi.org ("Dan Mahoney, System Admin") writes:

What I was basically asking for was a "silently drop queries for X-domain"
option. But one doesn't exist in bind.

take a look at www.as112.net to see what happens to queries for
10.in-addr.arpa and its brothers. you can easily set up a zone
that will just confuse and make errors for whoever queries it:

        @ SOA localhost hostmaster.localhost
                   NS localhost
        localhost A 127.0.0.1
        * MX 0 localhost
                   A 127.0.0.1

(the specific name "localhost" is nec'y because glue searches
aren't required to find wildcards.)

if you put a zone like that in place on a server that's receiving
unwanted queries for some zone, they will soon stop, or not. you
win either way -- the queries stop, or you laugh your ass off.

3

danm@prime.gushi.org ("Dan Mahoney, System Admin") writes:

What I was basically asking for was a "silently drop queries for X-domain"
option. But one doesn't exist in bind.

take a look at www.as112.net to see what happens to queries for
10.in-addr.arpa and its brothers. you can easily set up a zone
that will just confuse and make errors for whoever queries it:

       @ SOA localhost hostmaster.localhost
                  NS localhost
       localhost A 127.0.0.1
       * MX 0 localhost
                  A 127.0.0.1

(the specific name "localhost" is nec'y because glue searches
aren't required to find wildcards.)

if you put a zone like that in place on a server that's receiving
unwanted queries for some zone, they will soon stop, or not. you
win either way -- the queries stop, or you laugh your ass off.

There weren't rfc1918.

-Dan

4

> danm@prime.gushi.org ("Dan Mahoney, System Admin") writes:
>
>> What I was basically asking for was a "silently drop queries for X-domain"
>> option. But one doesn't exist in bind.
>
> take a look at www.as112.net to see what happens to queries for
> 10.in-addr.arpa and its brothers. you can easily set up a zone

There weren't rfc1918.

Doesn't matter. But in order for this trick to work:

  - The things sending you queries must be able to receive your
    replies. I believe you said that source addresses are spoofed,
    so this may not be the case.

  - The things sending you queries must be smart enough to follow
    the NS referral in the response.

If I wanted to silently drop DNS queries based on the query name,
I might use FreeBSD's divert socket and a Perl script to examine
the queries. Not sure well that would scale though.

Duane W.