[Pdns-users] Is it po-ssible to block all ANY queries?

Federico Olivieri lvrfrc87 at gmail.com
Thu Dec 17 10:08:28 UTC 2015


First of all, we need to have a look to the hexadecimal values of a DNS ANY
query packet. Below it is reported an example of a DNS query for
www.facebook.com - ANY

21:45:17.159364 00:0f:34:ac:fa:49 > d0:50:99:53:f2:fc, ethertype IPv4

76: > 29319+ ANY? www.facebook.com. (34)

        0x0000:  4500 003e d702 0000 4011 36ef c0a8 0002  E..>.... at .6.....

        0x0010:  ac10 0003 ac08 0035 002a 7d19 7287 0100  .......5.*}.r...

        0x0020:  0001 0000 0000 0000 0377 7777 0866 6163  .........www.fac

        0x0030:  6562 6f6f 6b03 636f 6d00 00ff 0001               ebook.com

Analyzing the hexadecimal of the trace, at the end of the packet  we can
notice the value 0x00ff0001 (corresponding to “.....”  ASCI) that
identifies the DNS query as type ANY. Thanks to that, iptables can analyze
each DNS query packet, identifies those that are DNS query of type equal to
ANY, have memory of the IP source that sends the ANY request, and temporary
restrict the number of DNS ANY query for that specific IP address for a
period of time.

Let’s analyze and explain the iptables rules deployed on DNS Server:

iptables -I INPUT 4 -p udp --dport 53 -m string --hex-string "|0000ff0001|"
--algo bm -m recent --set --name dnsanyquery –rsource

iptables -I INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|"
--algo bm -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery
--rsource -j DROP

First rule - from left to right:

*iptables -I INPUT 4* -->  configure an iptables rules on INPUT chain and
place it on position 4 of the ACL

-*p udp –dport 53* -->  take in account UDP packet with destination port
number 53

*-m string* --> use the iptables-extension module called “string”

*--hex-string "|0000ff0001|" *--> The string to be matched inside the
packet must correspond is the hexadecimal value of “0000ff0001” (that
correspond at ANY DNS query type on the above tcpdump trace)

*--algo bm* --> At those packets that match the above values, apply the
Boyer-Moore algorithm

*-m recent* --> Apply a second iptables-extension module called *recent*.
Recent module allows to dynamically create a list of IP addresses and then
match against that list in a few different ways. For example, you can
create a "badguy" list out of people attempting to connect to port *xyz* on
your firewall and then DROP all future packets from them without
considering them.

*--set --name dnsanyquery* --> At those packets, apply a list named

*–rsource *--> In *dnsanyquery *list save the source IP address for those
packets that match the above rules

Second rule – The first part is the same of the first rule *(iptables -I
INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm
-m recent)*

*--rcheck* --> Check if the source address of the packet is currently in
the list (*dnsanyquery)*

*--seconds 60 *->  This will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds
(60 seconds in this rule)

*--hitcount 5 *-> This will narrow the match to only happen when the
address is in the list and packets had been received greater than or equal
to the given value (5 hits in this rule)

*name dnsanyquery –rsource *->  Same meaning of the first rule

*-j DROP *-> Drop the packets that match the value described in this
iptable rule.

Thanks to a bash script, we can convert the raw data of *dnsanyquery *list
and find out which IP address (and when) sent more than 5 ANY queries in
less than 60 seconds

root at banana:/etc/my_scripts# ./recent_dns.sh Sep 29 22:36:15 BST

2015-12-17 0:33 GMT+00:00 Josh Sanders <facil77 at gmail.com>:

> Hello, Could you point me out in the right direction with a tutorial or
> example about?
> Thank you for your reply
> On Wed, Dec 16, 2015 at 5:11 PM, Federico Olivieri <lvrfrc87 at gmail.com>
> wrote:
>> Hi, have you tried with iptables? You can  set the max ANY quries for IP
>> and track the IP that ask for the ANY query
>> On 16 Dec 2015 22:05, "Josh Sanders" <facil77 at gmail.com> wrote:
>>> Hello,
>>> I just set up PowerDNS and it works faultlessly:
>>> pdns-static_3.4.7-1_amd64.deb
>>> But It keeps receiving  100s of ANY queries.
>>> PowerDNS/Bind Backend has zone: mydomain.com but It keeps receiving
>>> ANY queries like those:
>>> Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = 1680:
>>> packetcache MISS
>>> Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = 1680:
>>> packetcache MISS
>>> Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = 1680:
>>> packetcache MISS
>>> Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680:
>>> packetcache MISS
>>> I know how to block those ips with fail2ban but I would not like to have
>>> 100s of iptables rules.
>>> Is there a way to block ANY queries?
>>> I mean like CloudFlare does: Please stop asking for ANY / See
>>> draft-jabley-dnsop-refuse-any
>>> Also, I tried any-to-tcp=yes but it seems not working.
>>> Thanks
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20151217/55698f7e/attachment.html>

More information about the Pdns-users mailing list