[Pdns-users] -Is it po-ssible to block all ANY queries?

Federico Olivieri lvrfrc87 at gmail.com
Fri Dec 18 14:24:05 UTC 2015


Hi Josh,

The README it is everything that I have used so far

https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md

for a easy load balancing you can do it *dnsdist my.first.server.here
my.second.server.here --daemon*

Federico

2015-12-18 2:53 GMT+00:00 Josh Sanders <facil77 at gmail.com>:

> THANK YOU VERY MUCH! Federico. I will test them.
>
> I read your email about dnsdist
> I would like to use it as load balancer between master/slave.
>
> Could you please recommend me a tutorial for dnsdist?
>
> Thanks again and have a nice day!
>
> Josh
>
> On Thu, Dec 17, 2015 at 4:08 AM, Federico Olivieri <lvrfrc87 at gmail.com>
> wrote:
>
>> Sure,
>>
>> First of all, we need to have a look to the hexadecimal values of a DNS
>> ANY query packet. Below it is reported an example of a DNS query for
>> www.facebook.com - ANY
>>
>> 21:45:17.159364 00:0f:34:ac:fa:49 > d0:50:99:53:f2:fc, ethertype IPv4
>> (0x0800),
>>                                                                                                                                                   length
>> 76: 192.168.0.2.44040 > 172.16.0.3.53: 29319+ ANY? www.facebook.com. (34)
>>
>>         0x0000:  4500 003e d702 0000 4011 36ef c0a8 0002  E..>.... at .6.....
>>
>>         0x0010:  ac10 0003 ac08 0035 002a 7d19 7287 0100  .......5.*}.r...
>>
>>         0x0020:  0001 0000 0000 0000 0377 7777 0866 6163  .........www.fac
>>
>>         0x0030:  6562 6f6f 6b03 636f 6d00 00ff 0001
>> ebook.com.....
>>
>>
>> Analyzing the hexadecimal of the trace, at the end of the packet  we can
>> notice the value 0x00ff0001 (corresponding to “.....”  ASCI) that
>> identifies the DNS query as type ANY. Thanks to that, iptables can analyze
>> each DNS query packet, identifies those that are DNS query of type equal to
>> ANY, have memory of the IP source that sends the ANY request, and temporary
>> restrict the number of DNS ANY query for that specific IP address for a
>> period of time.
>>
>> Let’s analyze and explain the iptables rules deployed on DNS Server:
>>
>> iptables -I INPUT 4 -p udp --dport 53 -m string --hex-string
>> "|0000ff0001|" --algo bm -m recent --set --name dnsanyquery –rsource
>>
>> iptables -I INPUT 5 -p udp --dport 53 -m string --hex-string
>> "|0000ff0001|" --algo bm -m recent --rcheck --seconds 60 --hitcount 5
>> --name dnsanyquery --rsource -j DROP
>>
>> First rule - from left to right:
>>
>> *iptables -I INPUT 4* -->  configure an iptables rules on INPUT chain
>> and place it on position 4 of the ACL
>>
>> -*p udp –dport 53* -->  take in account UDP packet with destination port
>> number 53
>>
>> *-m string* --> use the iptables-extension module called “string”
>>
>> *--hex-string "|0000ff0001|" *--> The string to be matched inside the
>> packet must correspond is the hexadecimal value of “0000ff0001” (that
>> correspond at ANY DNS query type on the above tcpdump trace)
>>
>> *--algo bm* --> At those packets that match the above values, apply the
>> Boyer-Moore algorithm
>>
>> *-m recent* --> Apply a second iptables-extension module called *recent*.
>> Recent module allows to dynamically create a list of IP addresses and then
>> match against that list in a few different ways. For example, you can
>> create a "badguy" list out of people attempting to connect to port *xyz*
>> on your firewall and then DROP all future packets from them without
>> considering them.
>>
>> *--set --name dnsanyquery* --> At those packets, apply a list named
>> *dnsanyquery*
>>
>> *–rsource *--> In *dnsanyquery *list save the source IP address for
>> those packets that match the above rules
>>
>>
>>
>> Second rule – The first part is the same of the first rule *(iptables -I
>> INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm
>> -m recent)*
>>
>> *--rcheck* --> Check if the source address of the packet is currently in
>> the list (*dnsanyquery)*
>>
>> *--seconds 60 *->  This will narrow the match to only happen when the
>> address is in the list and was seen within the last given number of seconds
>> (60 seconds in this rule)
>>
>> *--hitcount 5 *-> This will narrow the match to only happen when the
>> address is in the list and packets had been received greater than or equal
>> to the given value (5 hits in this rule)
>>
>> *name dnsanyquery –rsource *->  Same meaning of the first rule
>>
>> *-j DROP *-> Drop the packets that match the value described in this
>> iptable rule.
>>
>> Thanks to a bash script, we can convert the raw data of *dnsanyquery *list
>> and find out which IP address (and when) sent more than 5 ANY queries in
>> less than 60 seconds
>>
>> root at banana:/etc/my_scripts# ./recent_dns.sh
>>
>> 192.168.0.2........................................Tue Sep 29 22:36:15
>> BST 2015
>>
>>
>> 2015-12-17 0:33 GMT+00:00 Josh Sanders <facil77 at gmail.com>:
>>
>>> Hello, Could you point me out in the right direction with a tutorial or
>>> example about?
>>> Thank you for your reply
>>>
>>> On Wed, Dec 16, 2015 at 5:11 PM, Federico Olivieri <lvrfrc87 at gmail.com>
>>> wrote:
>>>
>>>> Hi, have you tried with iptables? You can  set the max ANY quries for
>>>> IP and track the IP that ask for the ANY query
>>>> On 16 Dec 2015 22:05, "Josh Sanders" <facil77 at gmail.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I just set up PowerDNS and it works faultlessly:
>>>>> pdns-static_3.4.7-1_amd64.deb
>>>>>
>>>>> But It keeps receiving  100s of ANY queries.
>>>>>
>>>>> PowerDNS/Bind Backend has zone: mydomain.com but It keeps receiving
>>>>> ANY queries like those:
>>>>>
>>>>> Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize =
>>>>> 1680: packetcache MISS
>>>>> Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize =
>>>>> 1680: packetcache MISS
>>>>> Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize =
>>>>> 1680: packetcache MISS
>>>>> Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize =
>>>>> 1680: packetcache MISS
>>>>>
>>>>> I know how to block those ips with fail2ban but I would not like to
>>>>> have 100s of iptables rules.
>>>>>
>>>>> Is there a way to block ANY queries?
>>>>>
>>>>> I mean like CloudFlare does: Please stop asking for ANY / See
>>>>> draft-jabley-dnsop-refuse-any
>>>>>
>>>>> Also, I tried any-to-tcp=yes but it seems not working.
>>>>>
>>>>> Thanks
>>>>>
>>>>> _______________________________________________
>>>>> Pdns-users mailing list
>>>>> Pdns-users at mailman.powerdns.com
>>>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>>>
>>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20151218/56fb8f7b/attachment.html>


More information about the Pdns-users mailing list