How to mitigate peacecorps.gov DOS attack on bind9 DNS Server?
I newly configured bind9 on my ubuntu server and set allow-query
to { any; }
as I want my DNS server to be accessible for anywhere. However, I am now facing DOS attack using peacecorps.gov
domain with different IP address. Getting DNS request every seconds. How to mitigate this issue? Is there a way to block DNS lookup for particular website?
My bind9 option configuration
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-validation auto;
listen-on { any; };
listen-on-v6 { any; };
allow-query { any; };
allow-recursion { any; };
version "Forbidden";
};
DNS Logs
I newly configured bind9 on my ubuntu server and set
allow-query
to{ any; }
as I want my DNS server to be accessible for anywhere.
You get exactly what you've configured.
A DNS server that can be used by anybody. Or rather, abused by anybody and it is being used for abuse right now.
See for example this alert regarding incorrectly configured DNS servers such as yours:
- https://us-cert.cisa.gov/ncas/alerts/TA13-088A
The only public queries that your DNS server should allow and answer, are for the domain names it is authoritative for. (in other words: for your own domain).
If your bind server is to be caching resolver, it should only offer that service to your own servers/subnet, not the whole internet.
Set up an access control list and only allow authorised / trusted clients to use your DNS server and this problem should stop
acl myclients {
192.0.2.0/24;
localhost;
};
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-validation auto;
listen-on { any; };
listen-on-v6 { any; };
allow-query { myclients; };
allow-recursion { myclients; };
version "Forbidden";
};