One such bogus query that a lot of DNS servers seem to be hit with is a query for root any. That is for all records the DNS server has. Which can generate quite a large query response compared to a small query request. i.e. DNS Amplified Reflection Exploit Attack (DNS AREA). This is especially true for DNSSEC servers due to the massive size of their records.
Depending on configuration BIND can/will deny these queries. But they still are passed along to BIND to be processed. Which consumes additional system resources and depending on log settings may SPAM the logs. Consuming yet even more system resources and rendering the logs less efficient to use for "legitimate" information.
Today I learned how to filter these DNS queries for root all/any records with IP tables by adding this rule to the raw table.
Code: Select all
-A PREROUTING -p udp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 40 -j DROP
-A PREROUTING -p tcp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 52 -j DROP
The rules can also be used in combination with the 'recent' module to provide rate limiting. Or even altered for specific queries.
String match --from offset calculation:
Ethernet header 14 bytes. Not included in iptables processing.
Minimum IP header length 20 bytes.
Minimum UDP header length 8 bytes.
Minimum TCP header length 20 bytes.
Minimum DNS header length 12 bytes.
(Transaction ID (2), Flags (2), Questions (2), Answer RRs (2), Authority RRs (2), Additional RRs (2))
UDP DNS queries minimum offset 40
(minimum IP header length (20), plus minimum UDP header length (8), plus minimum DNS header length (12))
TCP DNS queries minimum offset 52
(minimum IP header length (20), plus minimum TCP header length (20), plus minimum DNS header length (12))
References:
IP Tables Manual
https://linux.die.net/man/8/iptables
Boyer-Moore (bm) Algorithm
https://en.wikipedia.org/wiki/Boyer%E2% ... _algorithm
These images (attached) highlights the query portion (hex string) of a DNS root any packet via UDP and TCP.