اصولا بهتره در سروری که سرویس dns داره یا با این سرویس در ارتباط هست این حملات مسدود بشه.. اینکار در لینوکس به راحتی قابل انجام هستت. من رول های iptables رو برای دفع این حمله برتون میزارم ولی اگه واقعا نیاز هست رو میکروتیک انجام بشه پورت 53 udp/tcp رو براش رول بنویسید و تعدا کوئری ها رو در بازه ی زمان محدود کنید یا اجازه بدید فقط ادرس های مجاز بتونن درخواست ارسال کنن
iptables -v -I INPUT 1 -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –set –name dnsanyquery iptables -v -I INPUT 2 -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –name dnsanyquery –rcheck –seconds 10 –hitcount 3 -j DROP
This allows two ANY queries from an IP over 10 seconds. You can adjust it any way you want. The above code inserts these rules into the first 2. You might also want to just use append and put these in early in the list.
iptables -v -A INPUT -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –set –name dnsanyquery
iptables -v -A INPUT -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –name dnsanyquery –rcheck –seconds 10 –hitcount 3 -j DROP
Is it working? You can test it as follows:
dig @dns.yourdomain.com isc.org ANY
It should word 2 times in a row and fail on the 3rd try. This will allow some diagnostic ANY queries but block the high volume DDOS attacks.
I also have some recursive name servers and I use them heavilly internally. But I also use them lightly externally. These name servers are still open to the world but I threw some rate limiting on them for external use. That way they can be open and yet not abused.
First you have to allow your own network full access:
iptables -v -A INPUT -t filter -s 192.168.1.0/24 -j ACCEPT
Then you rate limit other addresses:
iptables -v -A INPUT -p udp –dport 53 -m recent –set –name dnsanyquery
iptables -v -A INPUT -p udp –dport 53 -m recent –name dnsanyquery –rcheck –seconds 1 –hitcount 10 -j DROP