DNS - spam recursion queries

I am using PowerDNS Recursor in local ISP environment. Recursion is allowed only from our IP range but I've came with strange issue. Our own customers PC keeps attacking our DNS server with queries like:

15:43:38.473842 IP [CLIENT_IP].51097 > [DNSSERVER_IP].domain: 42318+ A? qhmrazabkvghwtgv.www.dl26.com. (47)
15:43:38.474161 IP [CLIENT_IP].40825 > [DNSSERVER_IP].domain: 14848+ A? yzqxqtklodgzuv.www.dl26.com. (45)
15:43:38.474443 IP [CLIENT_IP].34094 > [DNSSERVER_IP].domain: 35692+ A? inahybijsvqt.www.sf97.net. (43)
15:43:38.474953 IP [CLIENT_IP].39432 > [DNSSERVER_IP].domain: 7105+ A? kpkfgrsxihst.www.tpa.net.cn. (45)

Remote domain is almost always .cn one but the rest of domain name keeps changing. The easiest solution is to add hashlimit based rule on iptables but clients are behind NAT so traffic coming to DNS is marked with concentrator IP. I've tried also using spywaredomains zone but remote domain keeps changing so I cant really block it. The number of requests with SPAM domains cause PowerDNS Cache to overgrow and is also greatly increasing remote_timeout count. Is there any way to defend against such traffic and make DNS work like a charm again?


Solution 1:

This is one of the distributed attacks against authoritative DNS servers that has been seen in the wild lately. (not to be confused with the more popular DNS amplification attacks) The victims are the nameservers responsible for the domain nearest the TLD -- tpa.net.cn, sf97.net, etc. The attack strategy is to generate queries that will not be cached.

This is not simply a matter of blocking an individual client. If you're seeing this, it generally is a symptom of one of the following factors:

  • You are operating an "open resolver", a caching DNS server that is accessible to the general internet.
  • Your customers are operating open resolvers and forwarding queries to your nameservers. (this is more common than most people think)

In my experience you need to identify which of these is the case and take steps to reduce the abuse vectors into your network.

Solution 2:

From http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/:

many PowerDNS installations on Linux are configured to consume (far) more filedescriptors than are actually available ... To fix, there are four options:

  1. Reduce max-mthreads to 512 (or threads to 1 and max-mthreads to 1024) (max-mthreads was introduced in Recursor 3.2; but if you arerunning a version that old, please upgrade it!)
  2. Run ‘ulimit -n 32768′ before starting (perhaps put this in /etc/init.d/ script). There’s little reason to skip on this number.
  3. Investigate defaults in /etc/security/limits.conf
  4. Apply the patch in https://github.com/Habbie/pdns/commit/e24b124a4c7b49f38ff8bcf6926cd69077d16ad8

From http://blog.powerdns.com/2014/04/03/further-dos-guidance-packages-and-patches-available/ (paraphrasing):

Install recursor from git head (snapshots at various URLs listed in the article or find one yourself at https://autotest.powerdns.com/), or in time, released versions 3.5.4 or up. Then set server-down-max-fails to a suitable number. We recommend 32, or 16 when under heavy attack.

Solution 3:

What you can do is block that client from getting to the name server. An alternative solution would be to clean the client system(s). Personally I suggest doing the second thing, the first thing would only be nice if you redirect the client to an IP that has a page warning them and helping them to solve the issue.