<div dir="ltr">Sure,<div><br><p class="MsoNormal"><span lang="EN-US">First of
all, we need to have a look to the hexadecimal values of a DNS ANY query
packet. Below it is reported an example of a DNS query for <a href="http://www.facebook.com">www.facebook.com</a> -
ANY </span></p>
<p class="MsoNormal" style="margin-bottom:6pt"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">21:45:17.159364 00:0f:34:ac:fa:49 >
d0:50:99:53:f2:fc, ethertype IPv4 (0x0800), length
76: 192.168.0.2.44040 > 172.16.0.3.53: 29319+ <span style="background:yellow">ANY? <a href="http://www.facebook.com">www.facebook.com</a>.</span> (34)</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">
0x0000: 4500 003e d702 0000 4011
36ef c0a8 0002 E..>....@.6.....</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">
0x0010: ac10 0003 ac08 0035 002a
7d19 7287 0100 .......5.*}.r...</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">
0x0020: 0001 0000 0000 0000 0377
7777 0866 6163 .........www.fac</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">
0x0030: 6562 6f6f 6b03 636f 6d00 <span style="background:yellow">00ff 0001</span> <a href="http://ebook.com">ebook.com</a><span style="background:yellow">.....</span></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)"><span style="background:yellow"><br></span></span></p>
<p class="MsoNormal"><span lang="EN-US">Analyzing the hexadecimal of the trace, at the
end of the packet we can notice the
value 0x00ff0001 (corresponding to “</span><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">.....</span><span lang="EN-US">”</span><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)"> </span><span lang="EN-US">ASCI) that identifies the DNS query
as type ANY. Thanks to that, iptables can analyze each DNS query packet,
identifies those that are DNS query of type equal to ANY, have memory of the IP
source that sends the ANY request, and temporary restrict the number of DNS ANY
query for that specific IP address for a period of time. </span></p>
<p class="MsoNormal"><span lang="EN-US">Let’s analyze and explain the iptables rules
deployed on DNS Server:</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">iptables -I </span><span lang="EN-US" style="font-size:9pt;line-height:115%">INPUT 4 -p udp --dport 53 -m
string --hex-string<span style="color:rgb(51,51,51)"> "|0000ff0001|" --algo
bm -m recent --set --name dnsanyquery –rsource</span></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)">iptables -I INPUT 5 -p udp --dport 53 -m string
--hex-string "|0000ff0001|" --algo bm -m recent --rcheck --seconds 60
--hitcount 5 --name dnsanyquery --rsource -j DROP</span></p>
<p class="MsoNormal"><span lang="EN-US">First rule - from left to right:</span></p>
<p class="MsoNormal" style="margin-bottom:6pt"><i><span lang="EN-US">iptables -I INPUT 4</span></i><span lang="EN-US"> --> configure an iptables rules on INPUT chain and
place it on position 4 of the ACL</span></p>
<p class="MsoNormal" style="margin-bottom:6pt"><span lang="EN-US">-<i>p udp
–dport 53</i> --> take in account UDP
packet with destination port number 53</span></p>
<p class="MsoNormal" style="margin-bottom:6pt"><i><span lang="EN-US">-m string</span></i><span lang="EN-US"> --> use the iptables-extension
module called “string” </span></p>
<p class="MsoNormal" style="margin:6pt 0cm 0.0001pt 5cm"><i><span lang="EN-US">--hex-string "|0000ff0001|" </span></i><span lang="EN-US">--> The string to be matched inside the
packet must correspond is the hexadecimal value of “0000ff0001” (that
correspond at ANY DNS query type on the above tcpdump trace)</span></p>
<p class="MsoNormal" style="margin:6pt 0cm 0.0001pt"><i><span lang="EN-US">--algo bm</span></i><span lang="EN-US"> --> At those packets that match
the above values, apply the Boyer-Moore algorithm </span></p>
<p class="MsoNormal" style="margin:6pt 0cm 0.0001pt 63.8pt"><i><span lang="EN-US">-m recent</span></i><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)"> </span><span lang="EN-US">--> Apply a second iptables-extension
module called <i>recent</i>. Recent module allows
to dynamically create a list of IP addresses and then match against that list
in a few different ways. For example, you can create a "badguy" list
out of people attempting to connect to port <i>xyz</i>
on your firewall and then DROP all future packets from them without considering
them.</span></p>
<p class="MsoNormal" style="margin:6pt 0cm 0.0001pt"><i><span lang="EN-US">--set --name dnsanyquery</span></i><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)"> </span><span lang="EN-US">--> At those packets, apply a list named <i>dnsanyquery</i></span></p>
<p class="MsoNormal" style="margin:6pt 0cm 0.0001pt"><i><span lang="EN-US">–rsource </span></i><span lang="EN-US">--> In <i>dnsanyquery </i>list save the source IP address for those packets that
match the above rules </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Second rule – The first part is the
same of the first rule <i>(iptables -I INPUT
5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm
-m recent)</i></span></p>
<p class="MsoNormal"><i><span lang="EN-US">--rcheck</span></i><span lang="EN-US" style="font-size:9pt;line-height:115%;color:rgb(51,51,51)"> -</span><span lang="EN-US">-> Check if the source address of the packet is currently in the list
(<i>dnsanyquery)</i></span></p>
<p class="MsoNormal" style="margin-left:70.9pt"><i><span lang="EN-US">--seconds 60 </span></i><span lang="EN-US">->
</span><span class=""><span lang="EN-US" style="font-size:13.5pt;line-height:115%;color:black"> </span></span><span lang="EN-US">This will narrow the match to only
happen when the address is in the list and was seen within the last given
number of seconds (60 seconds in this rule)</span></p>
<p class="MsoNormal" style="margin-left:63.8pt"><i><span lang="EN-US">--hitcount 5 </span></i><span lang="EN-US">->
This will narrow the match to only happen when the address is in the list and
packets had been received greater than or equal to the given value (5 hits in
this rule)</span></p>
<p class="MsoNormal" style="margin-left:63.8pt"><i><span lang="EN-US">name dnsanyquery –rsource </span></i><span lang="EN-US">-> <i> </i>Same meaning of the first rule<i></i></span></p>
<p class="MsoNormal" style="margin-left:63.8pt"><i><span lang="EN-US">-j DROP </span></i><span lang="EN-US">->
Drop the packets that match the value described in this iptable rule.<i></i></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks to a bash script, we can
convert the raw data of <i>dnsanyquery </i>list
and find out which IP address (and when) sent more than 5 ANY queries in less
than 60 seconds</span></p>
<p class="MsoNormal"><span lang="EN-US">root@banana:/etc/my_scripts#
./recent_dns.sh</span></p>
<p class="MsoNormal"><span lang="EN-US">192.168.0.2........................................Tue
Sep 29 22:36:15 BST 2015</span></p></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-12-17 0:33 GMT+00:00 Josh Sanders <span dir="ltr"><<a href="mailto:facil77@gmail.com" target="_blank">facil77@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello, Could you point me out in the right direction with a tutorial or example about?<br></div>Thank you for your reply<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 16, 2015 at 5:11 PM, Federico Olivieri <span dir="ltr"><<a href="mailto:lvrfrc87@gmail.com" target="_blank">lvrfrc87@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Hi, have you tried with iptables? You can set the max ANY quries for IP and track the IP that ask for the ANY query</p>
<div class="gmail_quote"><div><div>On 16 Dec 2015 22:05, "Josh Sanders" <<a href="mailto:facil77@gmail.com" target="_blank">facil77@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hello,<br><br>I just set up PowerDNS and it works faultlessly: pdns-static_3.4.7-1_amd64.deb<br><br>But It keeps receiving 100s of ANY queries.<br><br>PowerDNS/Bind Backend has zone: <a href="http://mydomain.com" target="_blank">mydomain.com</a> but It keeps receiving ANY queries like those:<br><br>Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = 1680: packetcache MISS<br>Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = 1680: packetcache MISS<br>Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = 1680: packetcache MISS<br>Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680: packetcache MISS<br><br>I know how to block those ips with fail2ban but I would not like to have 100s of iptables rules.<br><br>Is there a way to block ANY queries? <br><br>I mean like CloudFlare does: Please stop asking for ANY / See draft-jabley-dnsop-refuse-any<br><br>Also, I tried any-to-tcp=yes but it seems not working.<br><br>Thanks<br></div>
<br></div></div>_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
<a href="http://mailman.powerdns.com/mailman/listinfo/pdns-users" target="_blank">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br></blockquote></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>