Hi all,
We have great problem's we are under DNS amplification attack to one of our
zones.
Is there a way to block the ANY request type ?
server:
# uncomment to specify specific interfaces to bind (default wildcard
interface).
# ip-address: 1.2.3.4
# ip-address: 1.2.3.4 at 5678
# ip-address: 12fe::8ef0
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
hide-version: yes
# enable debug mode, does not fork daemon process into the background.
# debug-mode: no
# listen only on IPv4 connections
# ip4-only: no
# listen only on IPv6 connections
# ip6-only: no
# the database to use
database: "/var/lib/nsd/nsd.db"
# identify the server (CH TXT ID.SERVER entry).
identity: "ns1.somedomain.tld"
# NSID identity (hex string). default disabled.
# nsid: "aabbccdd"
# log messages to file. Default to stderr and syslog (with facility
LOG_DAEMON).
logfile: "/var/log/nsd.log"
# Number of NSD servers to fork.
# server-count: 1
# Maximum number of concurrent TCP connections per server.
# This option should have a value below 1000.
tcp-count: 1000
# Maximum number of queries served on a single TCP connection.
# By default 0, which means no maximum.
# tcp-query-count: 0
# Override the default (120 seconds) TCP timeout.
# tcp-timeout: 120
# Preferred EDNS buffer size for IPv4.
# ipv4-edns-size: 4096
# Preferred EDNS buffer size for IPv6.
# ipv6-edns-size: 4096
# File to store pid for nsd in.
# pidfile: "/var/run/nsd/nsd.pid"
# port to answer queries on. default is 53.
# port: 53
# statistics are produced every number of seconds.
statistics: 3600
# Run NSD in a chroot-jail.
# make sure to have pidfile and database reachable from there.
# by default, no chroot-jail is used.
# chroot: "/etc/nsd3"
# After binding socket, drop user privileges.
# can be a username, id or id.gid.
# username: nsd
# The directory for zonefile: files.
# zonesdir: "/etc/nsd3"
zonesdir: "/etc/nsd/zones"
# The file where incoming zone transfers are stored.
# run nsd-patch to update zone files, then you can safely delete it.
difffile: "/var/lib/nsd/ixfr.db"
# The file where secondary zone refresh and expire timeouts are kept.
# If you delete this file, all secondary zones are forced to be
# 'refreshing' (as if nsd got a notify).
xfrdfile: "/var/lib/nsd/xfrd.state"
# Number of seconds between reloads triggered by xfrd.
xfrd-reload-timeout: 10
# Verbosity level.
verbosity: 5
#reduce rate limite from default 200 query per second
rrl-ratelimit: 15
We are blocking the current any request in our iptables
$IPTABLES -A INPUT -p udp --dport 53 -m string --hex-string "|00ff|"
--algo bm --from 40 -j DROP -m comment --comment 'Block ANY requests'
$IPTABLES -A INPUT -p tcp --dport 53 -m string --hex-string "|00ff|"
--algo bm --from 40 -j DROP -m comment --comment 'Block ANY requests'
This what we see in the log file:
nsd[30527]: info: ratelimit block somedomain.tld. type any target
123.123.123.0/24 query 123.123.123.0 TYPE255
nsd[30527]: info: ratelimit unblock somedomain.tld. type any target
123.123.123.0/24 query 123.123.132.10 TYPE255
any idea howto stop these attacks are welkom
Bas
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20160425/4d45a406/attachment.htm>