During the last couple of weeks i have been seeing a lot of messages about denied cache queries on my DNS servers.
month day time server name named: client ip number#port number: query (cache) ‘./NS/IN’ denied
At first they looked quite innocent and I thought nothing much of them. But after a while the number of logged events grew faster and faster so it was time to do some investigation on google. After reading a few articles I came to the conclusion that my logs where trying to tell me that my DNS server where used as DNS DDoS deflectors.
So, how does this DDoS attack work? Someone on the Internet with access to a bot-net configures the bots to perform DNS queries from a spoofed ip to a large number of DNS servers. The DNS servers that receive the queries answer to the spoofed ip address. Usually the number of DNS servers is quite large and the number of spoofed ip addresses is quite small. This results in a very small traffic load for each DNS server and a huge traffic load for the unfortunate owner of the spoofed ip address.
During my search on the Internet on how to solve/block suck an attack on the DNS server side I came to the conclusion that the only thing to do is to block the spoofed ip addresses. To do this manually requires a huge amount of time for reading logs and comparing ip addresses. This amount of time is not available to me, therefore i did the following:
1: Collect the ip addresses being spoofed from log files
2: Block those addresses with iptables (these iptables rules must me inserted before other DNS related rules)