bind: blackhole for invalid recursive queries?

domain-name-system ddos bind

I have a name server that's publicly accessible since it is the authoritative name server for a couple of domains.

Currently the server is flooded with faked type ANY requests for isc.org, ripe.net and similar (that's a known distributed DoS attack).

The server runs BIND and has allow-recursion set to my LAN so that these requests are rejected. In such cases the server responds just with authority and additional sections referring the root servers.

Can I configure BIND so that it completely ignores these requests, without sending a response at all?


Faced with the same problem, I chose to ignore all recursive requests. All resolvers do send a non-recursive query when they want to use my server as an authoritative server. Only misconfigured clients and attackers, in my own case, use recursive queries.

Unfortunately I haven't found a way to let BIND do that, but in case iptables is good enough for you, I used

iptables -t raw -I PREROUTING -i eth0 -p udp --destination-port 53 \
    -m string --algo kmp --from 30 \
    --hex-string "|01000001000000000000|" -j DROP

I would try:

zone "." {
  type redirect;
  allow-query "none";
}

The responses referring clients to the root servers is controlled by the "redirect" zone. This should tell it not to reply to those.

That's hinted at in the Bind9 docs: http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2592674

You may with to replace "none" with your local subnet.

If you already have a zone "." declaration, simply add allow-query "none"; to it.


Have you tried to block string isc.org or block the hex string for it?

This worked for me:

iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm -j DROP


Generally, i would suggest:

Turn on bind logs and record ips that gets rejected answer. Install fail2ban program, add blackhole action: http://pastebin.com/k4BxrAeG (put rule in file in /etc/fail2ban/actions.d)

Create bind filter file in /etc/fail2ban/filter.d with something like this (needs debugging!)

[Definition]
failregex = ^.* security: info: client #<HOST>: query \(cache\) .* denied

Edit fail2ban.conf, add section:

[bindban]

enabled  = true
filter   = bind
# "bantime" is the number of seconds that a host is banned.
bantime  = 6000
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 60
# "maxretry" is the number of failures before a host get banned.
maxretry = 150
action   = blackhole
logpath  = /var/log/named.log

Hope this will help!

Related

VSFTPD 530 Login incorrect
OpenSSH with public keys from database
Apache URL rewriting in reverse proxy
Should I backup and restore the `mysql` database?
When IP aliasing how does the OS determine which IP address will be used as source for outbound TCP/IP connections?
How to free up space on RHEL6 /boot safely?
User password age/complexity policy
How to keep: daily backups for a week, weekly for a month, monthly for a year, and yearly after that
How to delete hyper-v virtual switch extensions adapters from device manager
Why am I missing /var/run/sshd after every boot?
Intermittent error when using mod_proxy to do reverse proxy to SOAP service
Nginx $document_root$fastcgi_script_name vs $request_filename