How To Block DNS Attack

[WendyW]

My network is getting hammered with requests from hundreds (or thousands) of different IPs requesting DNS for packetdevil.com. Is there a way to use PF to stop based on a domain? Any suggestions would be appreciated!

I do host a few sites, so I need DNS turned on. Recursion is off, but there are just so many requests coming through for that domain that I'd like to drop them at the router, before they hit the name server.

 

[ShelLuser]

Not that I know of, but I have to wonder how all those requests manage to end up on your server in the first place. It almost sounds like a DNS amplification based attack to me and there are better ways to solve those. First of all I have to wonder if recursion is really turned off and if you also tested this from a remote location?

Alas; administering a DNS server myself I have read stories about such attacks. One of the easiest ways to solve this would be to add the packetdevil.com zone to your own DNS server while making sure it's an empty zone. That will immediately nullify the requests since the outcome will fail (due to the zone being empty).

It's not perfect, it will still tax your server, but it will most likely be a lot less than before. You might also want to create an entry in your /etc/hosts file.

I'd also combine this with a logging channel after which you could use an IDS or logchecker to periodically go over those logs and then add any IP address to your firewall to block them off for good.

Not the answer you're looking for but I hope it can still help.

 

[deflected]

Hi @WendyW,

You can try with RRL. :stud https://kb.isc.org/article/AA-01000

BR