[dnsdist] rules to block dns tunneling trafic from iodine, dnscat2, ...

Aleš Rygl ales at rygl.net
Sun Oct 29 19:22:31 UTC 2023

Hi Denis,

Thanks a lot for sharing your rules! See some comments below.

On 05. 07. 23 10:19, Denis MACHARD via dnsdist wrote:
> -- Update the dynamic blocks with refused reply by default
> setDynBlocksAction(DNSAction.Refused)
I was using DNSAction.Refused as well, later on I moved to 
DNSAction.Drop. There is no need to answer any way if nobody expects an 
answer. In case you have a firewall box between clients and dnsdist you 
can make the sitution even worse exhausting it's resources (connection 
tracking) very easy. This is our experience.

> -- Rate exceeded detection with automatic ip blacklisting during 60s
> --  * max 5req/s during 5s for TXT, CNAME and MX
> --  * max bw to 1000bytes/s during 5s
> local dbr = dynBlockRulesGroup()
> dbr:setQTypeRate(DNSQType.TXT, 5, 5, "Exceeded TXT rate", 60)
> dbr:setQTypeRate(DNSQType.CNAME, 5, 5, "Exceeded CNAME rate", 60)
> dbr:setQTypeRate(DNSQType.MX, 5, 5, "Exceeded MX rate", 60)
> dbr:setResponseByteRate(1000, 5, "Exceeded resp BW rate", 60)
A question - what is the reason to limit CNAME queries?

I would suggest to add:

     dbr:setQTypeRate(DNSQType.ANY, 3, 60, "Exceeded ANY rate", 300)
     dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 60, "Exceeded NXD rate", 300)
     dbr:setRCodeRate(DNSRCode.SERVFAIL, 3, 60, "Exceeded ServFail 
rate", 300)

Queries generating SERVFAIL responses can be very harmful to your 
backend resolvers. If someone tries too much resulting into NXDOMAIN 
usually it means something bad. And ANY queries are used for attacks as 
well. The thresholds should be adjusted according to your needs.



More information about the dnsdist mailing list