Blocking bogus DNS requests?

Discussion in 'Installation/Configuration' started by TonyG, Nov 12, 2020.

  1. TonyG

    TonyG Active Member

    I am getting a lot of DNS requests like this, every few milliseconds :
    12-Nov-2020 11:02:11.273 
    query-errors: info: client @0x7fed3c005910
    query failed (REFUSED) for
    at query.c:5425
    Note the tell-tale "qwerty". Other than pure abuse, I don't know what anyone seeks to gain with queries like that.

    I'd like to block these requests to reduce some DNS load. I think these are UDP requests so the IP address may be spoofed. Is there a way to use Fail2Ban or another tool to catch these requests before they get processed by named/BIND? Or, is the fact that the query was REFUSED an indicator that there is already code that's in place to block this stuff? I just don't want more resources than necessary to be consumed. I'd block the traffic outside of the server if I could. Would DNS RPZ be a solution for this?

    I have two systems providing DNS in this ISPConfig installation, my primary ISPConfig server is the primary DNS and the secondary DNS is another smaller box that isn't hosting anything else. Would it reduce the load on the ISPConfig controller if I make it the secondary DNS? I don't think so.

  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Nothing, it is pure abuse, part of someone's ddos campaign. Ensure you have a new enough bind server which can rate limit replies to those.
  3. TonyG

    TonyG Active Member

    I'm running the latest BIND9. Didn't think about rate limiting - thanks for that. I've been focused on existing and new Fail2Ban rules to catch them after the fact.

    BTW, I haven't yet published my ISPConfig API stuff but development has been intense. While I'm battling the bad guys I published a little project, comments welcome:
    Essentially it's a CLI post-processor to ban the bad guys that I haven't caught yet with other tools - and that includes these DDOS guys.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If your dns servers are being used in a ddos, your logs are showing the ip addrs of victims, you can't tell who the attackers are, not block them. They could potentially make legitimate dns requests as well, so blocking them would add to their pains. Afaik, rate limiting replies is the best way to handle it, but I'd be interested in other solutions you come up with.
  5. TonyG

    TonyG Active Member

    OK, thanks. I'll pursue this and get back to this thread later.
    BIND has an excellent extensive system for defining each message type and how to handle it. So the first thing I've done is to separate all message types into different files. It's easier to filter through different topics of interest when they're not mixed up with other details.

Share This Page