DNS Query Root ANY (all) Filter

[Al_Stu]

If you have an Internet facing DNS server it no doubt gets hit with a bunch of bogus queries. Unless they are being filtered upstream of your server.

One such bogus query that a lot of DNS servers seem to be hit with is a query for root any. That is for all records the DNS server has. Which can generate quite a large query response compared to a small query request. i.e. DNS Amplified Reflection Exploit Attack (DNS AREA). This is especially true for DNSSEC servers due to the massive size of their records.

Depending on configuration BIND can/will deny these queries. But they still are passed along to BIND to be processed. Which consumes additional system resources and depending on log settings may SPAM the logs. Consuming yet even more system resources and rendering the logs less efficient to use for "legitimate" information.

Today I learned how to filter these DNS queries for root all/any records with IP tables by adding this rule to the raw table.

Code: Select all

-A PREROUTING -p udp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 40 -j DROP
-A PREROUTING -p tcp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 52 -j DROP

Notes:
The rules can also be used in combination with the 'recent' module to provide rate limiting. Or even altered for specific queries.

String match --from offset calculation:
Ethernet header 14 bytes. Not included in iptables processing.
Minimum IP header length 20 bytes.
Minimum UDP header length 8 bytes.
Minimum TCP header length 20 bytes.
Minimum DNS header length 12 bytes.
(Transaction ID (2), Flags (2), Questions (2), Answer RRs (2), Authority RRs (2), Additional RRs (2))

UDP DNS queries minimum offset 40
(minimum IP header length (20), plus minimum UDP header length (8), plus minimum DNS header length (12))

TCP DNS queries minimum offset 52
(minimum IP header length (20), plus minimum TCP header length (20), plus minimum DNS header length (12))

References:
IP Tables Manual
https://linux.die.net/man/8/iptables

Boyer-Moore (bm) Algorithm
https://en.wikipedia.org/wiki/Boyer%E2% ... _algorithm

These images (attached) highlights the query portion (hex string) of a DNS root any packet via UDP and TCP.

DNS Root All Query.jpg (136.34 KiB) Viewed 4004 times

DNS Root All Query (TCP).jpg (134.89 KiB) Viewed 3357 times

[Al_Stu]

If being hit with a lot of these you could perhaps avoid the recurring string match hits by doing something like this.

Code: Select all

-A PREROUTING -m recent --rsource --update --seconds 86400 --name DYN_DROP_LIST -j DROP
-A OUTPUT     -m recent --rdest   --update --seconds 86400 --name DYN_DROP_LIST -j DROP

-A DNS_DROP -p udp -m string --hex-string "|0000ff0001|" --algo bm --from 40 --to 65535 -j DYN_DROP
-A DNS_DROP -p tcp -m string --hex-string "|0000ff0001|" --algo bm --from 52 --to 65535 -j DYN_DROP

-A DYN_DROP -m recent --rsource --set --name DYN_DROP_LIST -j DROP

These seem to come as bursts from a group of addresses. Presumably spoofed victim's addresses. Even with very low rate limits they tend to fly under the radar by using more DNS servers and victim's addresses making fewer queries each. Avoiding rate limiting by further spreading out the DDOS attacks sources. Thus setting the rate limit low enough to get triggered by these affects legitimate queries too. So need to detect the specific queries/clients and block them before they can generate any load from your DNS servers. Rate limiting alone is not sufficient as they can just fly under the rate limiting radar with wider disbursement.