DNS Query Root ANY (all) Filter

Support for security such as Firewalls and securing linux
Post Reply
Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

DNS Query Root ANY (all) Filter

Post by Al_Stu » 2017/04/10 07:09:14

If you have an Internet facing DNS server it no doubt gets hit with a bunch of bogus queries. Unless they are being filtered upstream of your server.

One such bogus query that a lot of DNS servers seem to be hit with is a query for root any. That is for all records the DNS server has. Which can generate quite a large query response compared to a small query request. i.e. DNS Amplified Reflection Exploit Attack (DNS AREA). This is especially true for DNSSEC servers due to the massive size of their records.

Depending on configuration BIND can/will deny these queries. But they still are passed along to BIND to be processed. Which consumes additional system resources and depending on log settings may SPAM the logs. Consuming yet even more system resources and rendering the logs less efficient to use for "legitimate" information.

Today I learned how to filter these DNS queries for root all/any records with IP tables by adding this rule to the raw table.

Code: Select all

-A PREROUTING -p udp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 40 -j DROP
-A PREROUTING -p tcp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 52 -j DROP
Notes:
The rules can also be used in combination with the 'recent' module to provide rate limiting. Or even altered for specific queries.

String match --from offset calculation:
Ethernet header 14 bytes. Not included in iptables processing.
Minimum IP header length 20 bytes.
Minimum UDP header length 8 bytes.
Minimum TCP header length 20 bytes.
Minimum DNS header length 12 bytes.
(Transaction ID (2), Flags (2), Questions (2), Answer RRs (2), Authority RRs (2), Additional RRs (2))

UDP DNS queries minimum offset 40
(minimum IP header length (20), plus minimum UDP header length (8), plus minimum DNS header length (12))

TCP DNS queries minimum offset 52
(minimum IP header length (20), plus minimum TCP header length (20), plus minimum DNS header length (12))

References:
IP Tables Manual
https://linux.die.net/man/8/iptables

Boyer-Moore (bm) Algorithm
https://en.wikipedia.org/wiki/Boyer%E2% ... _algorithm

These images (attached) highlights the query portion (hex string) of a DNS root any packet via UDP and TCP.
DNS Root All Query.jpg
DNS Root All Query.jpg (136.34 KiB) Viewed 1460 times
DNS Root All Query (TCP).jpg
DNS Root All Query (TCP).jpg (134.89 KiB) Viewed 813 times

Post Reply

Return to “CentOS 7 - Security Support”