nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Comcast residential DNS contact

From: Jared Mauch <jared () puck nether net>
Date: Wed, 3 Dec 2014 12:58:20 -0500


On Dec 3, 2014, at 10:45 AM, Stephen Satchell <list () satchell net> wrote:

No.  When I've been victim of DNS amplification attacks, the packet
capture showed that the attacker used ANY queries.  Legit ANY queries on
my recursive servers?  Damn few.  So I block.  Not so on my
authoritative servers, where ANY queries on the domains I host zone
files for have not caused any problems, for anyone.

Another thing I did was slow down the port for my recursive DNS servers
to 10 megabits/s.  That means that my upstream link can't be saturated
by DNS amplification.  Oh, and I rate-limit incoming queries to my DNS
servers by IP address range -- an attack from one subnet won't affect
queries from other parts of the net.  Queries from my IP address range
have a high cap; J random IP addresses have a lower cap.


You should not filter the any queries, perhaps you want to TC=1 them.  I
created a patch for bind for this purpose.

http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch

I’ve seen many of these attacks, they will use MX/TXT/A and other records.

You may want to look at some of the public resources for this, e.g.:

http://dnsamplificationattacks.blogspot.nl/

is a good one and for the git lovers:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

or

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

- Jared
Previous By Date Next
Previous By Thread Next

Current thread: