[176525] in North American Network Operators' Group
Re: Comcast residential DNS contact
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Dec 3 13:06:10 2014
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <547F302C.4060200@satchell.net>
Date: Wed, 3 Dec 2014 12:58:20 -0500
To: Stephen Satchell <list@satchell.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Dec 3, 2014, at 10:45 AM, Stephen Satchell <list@satchell.net> =
wrote:
>=20
> No. When I've been victim of DNS amplification attacks, the packet
> capture showed that the attacker used ANY queries. Legit ANY queries =
on
> my recursive servers? Damn few. So I block. Not so on my
> authoritative servers, where ANY queries on the domains I host zone
> files for have not caused any problems, for anyone.
>=20
> Another thing I did was slow down the port for my recursive DNS =
servers
> to 10 megabits/s. That means that my upstream link can't be saturated
> by DNS amplification. Oh, and I rate-limit incoming queries to my DNS
> servers by IP address range -- an attack from one subnet won't affect
> queries from other parts of the net. Queries from my IP address range
> have a high cap; J random IP addresses have a lower cap.
You should not filter the any queries, perhaps you want to TC=3D1 them. =
I
created a patch for bind for this purpose.
http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
I=E2=80=99ve seen many of these attacks, they will use MX/TXT/A and =
other records.
You may want to look at some of the public resources for this, e.g.:
http://dnsamplificationattacks.blogspot.nl/
is a good one and for the git lovers:
=
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blac=
klist.txt
or
=
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blac=
klist-string.txt
- Jared=
