[nsd-users] Block any request

Bas van den Dikkenberg bas at Dikkenberg.net
Mon Apr 25 18:31:09 UTC 2016 

Hi all,

We have great problem's we are under DNS amplification attack to one of our zones.

Is there a way to block the ANY request type ?

server:
        # uncomment to specify specific interfaces to bind (default wildcard interface).
        # ip-address: 1.2.3.4
        # ip-address: 1.2.3.4 at 5678
        # ip-address: 12fe::8ef0

        # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
        hide-version: yes

        # enable debug mode, does not fork daemon process into the background.
        # debug-mode: no

        # listen only on IPv4 connections
        # ip4-only: no

        # listen only on IPv6 connections
        # ip6-only: no

        # the database to use
        database: "/var/lib/nsd/nsd.db"

        # identify the server (CH TXT ID.SERVER entry).
        identity: "ns1.somedomain.tld"

        # NSID identity (hex string). default disabled.
        # nsid: "aabbccdd"

        # log messages to file. Default to stderr and syslog (with facility LOG_DAEMON).
        logfile: "/var/log/nsd.log"

        # Number of NSD servers to fork.
        # server-count: 1

        # Maximum number of concurrent TCP connections per server.
        # This option should have a value below 1000.
        tcp-count: 1000

        # Maximum number of queries served on a single TCP connection.
        # By default 0, which means no maximum.
        # tcp-query-count: 0

        # Override the default (120 seconds) TCP timeout.
        # tcp-timeout: 120

        # Preferred EDNS buffer size for IPv4.
        # ipv4-edns-size: 4096

        # Preferred EDNS buffer size for IPv6.
        # ipv6-edns-size: 4096

        # File to store pid for nsd in.
        # pidfile: "/var/run/nsd/nsd.pid"

        # port to answer queries on. default is 53.
        # port: 53

        # statistics are produced every number of seconds.
        statistics: 3600

        # Run NSD in a chroot-jail.
        # make sure to have pidfile and database reachable from there.
        # by default, no chroot-jail is used.
        # chroot: "/etc/nsd3"

        # After binding socket, drop user privileges.
        # can be a username, id or id.gid.
        # username: nsd

        # The directory for zonefile: files.
        # zonesdir: "/etc/nsd3"
        zonesdir: "/etc/nsd/zones"

        # The file where incoming zone transfers are stored.
        # run nsd-patch to update zone files, then you can safely delete it.
        difffile: "/var/lib/nsd/ixfr.db"

        # The file where secondary zone refresh and expire timeouts are kept.
        # If you delete this file, all secondary zones are forced to be
        # 'refreshing' (as if nsd got a notify).
        xfrdfile: "/var/lib/nsd/xfrd.state"

        # Number of seconds between reloads triggered by xfrd.
        xfrd-reload-timeout: 10

        # Verbosity level.
        verbosity: 5

        #reduce rate limite from default 200 query per second
        rrl-ratelimit: 15

We are blocking the current any request in our iptables

$IPTABLES -A INPUT -p udp --dport 53 -m string --hex-string "|00ff|" --algo bm --from 40 -j DROP -m comment --comment 'Block ANY requests'
$IPTABLES -A INPUT -p tcp --dport 53 -m string --hex-string "|00ff|" --algo bm --from 40 -j DROP -m comment --comment 'Block ANY requests'

This what we see in the log file:

nsd[30527]: info: ratelimit block somedomain.tld. type any target 123.123.123.0/24 query 123.123.123.0 TYPE255
nsd[30527]: info: ratelimit unblock somedomain.tld. type any target 123.123.123.0/24 query 123.123.132.10 TYPE255

any idea howto stop these attacks are welkom

Bas





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20160425/4d45a406/attachment.htm>

More information about the nsd-users mailing list