[dnsdist] rules to block dns tunneling trafic from iodine, dnscat2, ...
Aleš Rygl
ales at rygl.net
Sun Oct 29 19:22:31 UTC 2023
Hi Denis,
Thanks a lot for sharing your rules! See some comments below.
On 05. 07. 23 10:19, Denis MACHARD via dnsdist wrote:
> -- Update the dynamic blocks with refused reply by default
> setDynBlocksAction(DNSAction.Refused)
>
I was using DNSAction.Refused as well, later on I moved to
DNSAction.Drop. There is no need to answer any way if nobody expects an
answer. In case you have a firewall box between clients and dnsdist you
can make the sitution even worse exhausting it's resources (connection
tracking) very easy. This is our experience.
> -- Rate exceeded detection with automatic ip blacklisting during 60s
> -- * max 5req/s during 5s for TXT, CNAME and MX
> -- * max bw to 1000bytes/s during 5s
> local dbr = dynBlockRulesGroup()
> dbr:setQTypeRate(DNSQType.TXT, 5, 5, "Exceeded TXT rate", 60)
> dbr:setQTypeRate(DNSQType.CNAME, 5, 5, "Exceeded CNAME rate", 60)
> dbr:setQTypeRate(DNSQType.MX, 5, 5, "Exceeded MX rate", 60)
> dbr:setResponseByteRate(1000, 5, "Exceeded resp BW rate", 60)
>
A question - what is the reason to limit CNAME queries?
I would suggest to add:
dbr:setQTypeRate(DNSQType.ANY, 3, 60, "Exceeded ANY rate", 300)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 60, "Exceeded NXD rate", 300)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 3, 60, "Exceeded ServFail
rate", 300)
Queries generating SERVFAIL responses can be very harmful to your
backend resolvers. If someone tries too much resulting into NXDOMAIN
usually it means something bad. And ANY queries are used for attacks as
well. The thresholds should be adjusted according to your needs.
Regards
Ales
More information about the dnsdist
mailing list