I am getting a lot of DNS requests like this, every few milliseconds : Code: 12-Nov-2020 11:02:11.273 query-errors: info: client @0x7fed3c005910 45.45.45.45#30053 (10171196235dot2dot11130302dot107dot180dot238dot54q1w2e3rty.henu.edu.cn): query failed (REFUSED) for 10171196235dot2dot11130302dot107dot180dot238dot54q1w2e3rty.henu.edu.cn/IN/A at query.c:5425 Note the tell-tale "qwerty". Other than pure abuse, I don't know what anyone seeks to gain with queries like that. I'd like to block these requests to reduce some DNS load. I think these are UDP requests so the IP address may be spoofed. Is there a way to use Fail2Ban or another tool to catch these requests before they get processed by named/BIND? Or, is the fact that the query was REFUSED an indicator that there is already code that's in place to block this stuff? I just don't want more resources than necessary to be consumed. I'd block the traffic outside of the server if I could. Would DNS RPZ be a solution for this? I have two systems providing DNS in this ISPConfig installation, my primary ISPConfig server is the primary DNS and the secondary DNS is another smaller box that isn't hosting anything else. Would it reduce the load on the ISPConfig controller if I make it the secondary DNS? I don't think so. Thanks!
Nothing, it is pure abuse, part of someone's ddos campaign. Ensure you have a new enough bind server which can rate limit replies to those.
I'm running the latest BIND9. Didn't think about rate limiting - thanks for that. I've been focused on existing and new Fail2Ban rules to catch them after the fact. BTW, I haven't yet published my ISPConfig API stuff but development has been intense. While I'm battling the bad guys I published a little project, comments welcome: https://github.com/TonyGravagno/ban-the-bad Essentially it's a CLI post-processor to ban the bad guys that I haven't caught yet with other tools - and that includes these DDOS guys.
If your dns servers are being used in a ddos, your logs are showing the ip addrs of victims, you can't tell who the attackers are, not block them. They could potentially make legitimate dns requests as well, so blocking them would add to their pains. Afaik, rate limiting replies is the best way to handle it, but I'd be interested in other solutions you come up with.
OK, thanks. I'll pursue this and get back to this thread later. BIND has an excellent extensive system for defining each message type and how to handle it. So the first thing I've done is to separate all message types into different files. It's easier to filter through different topics of interest when they're not mixed up with other details.
