How to secure DNS against DDOS amplification attacks
Afrihost cannot be held responsible for changes are made by the user. Any changes, edits or alterations are done so at your own risk.
A DDoS (distributed denial-of-service) attack occurs when the attacker exploits vulnerabilities in domain name system (DNS) servers to turn initially small queries into much larger payloads, which is used to bring down the server, these attacks are prone to publicly accessible domain name systems.
When you run a DNS server on your dedicated server, it will be the target DNS amplification attacks.
To prevent these attacks from succeeding and using up your bandwidth (which you will pay for), you need to configure your DNS server not to answer recursive queries.
You can send a DNS query to your server using dig or nslookup.
Send a DNS dig query to your server, e.g. “myserver.dedicated.co.za”
dig @myserver.dedicated.co.za www.isc.org
Send a server query to your server, e.g. “myserver.dedicated.co.za”.
> server myserver.dedicated.co.za
If you receive a response that includes an answer of the IP address of www.isc.org, then your server is vulnerable, because it did the work of finding out the answer and presenting it to you.
More often than not, if you are running a DNS server, you probably don’t need it. To best way to secure your server is to turn it off, stop the service and remove the software.
You only need a DNS server on your system for one of the following purposes:
- Your DNS server is configured with zone files for domains that you are hosting, and you have asked a DNS registrar (e.g. enom.com) to point domains to your DNS server. You will recognise these terms if you have done this. You do not need DNS recursion for this function.
- You are unhappy with the quality of the DNS resolver you are using and would rather implement this function yourself. If this is why you have a DNS server, you do not need to answer external queries. You can protect the server with a firewall.
- You are providing zone files for a private domain, e.g. as some part of Active Directory. In this case, you can limit your responses to only those systems that have an interest in that private domain, i.e. members of the Active Directory system.
- You are competing with OpenDNS and Google’s DNS recursor. If you are doing this, you must implement appropriate rate limits.
- Add this to the “options” section of /etc/named.conf
- Then restart named so that it will use the new secure options:
If you have installed or enabled Exchange then you have implicitly turned on DNS, which by default runs as a recursive service and can be horribly attacked. Usually, you can just firewall the DNS service.
Run this command:
dnscmd./Config /NoRecursion 1
Or follow this procedure :
- Go to ‘Start’.
- Type ‘Control panel’.
- Select ‘System and Security’.
- Select ‘Administrative Tools’.
- Select ‘DNS (DNS manager)’.
- Right-click on DNS server.
- Select ‘Properties’.
- Select ‘Advanced’.
- Click ‘Server options’.
- Select ‘Disable recursion’.
- Click ‘Yes, OK’.
Unfortunately, it is not possible to prevent the Microsoft DNS server from replying with cached values, so your non-recursive DNS server will provide a small amount of useful traffic amplification for attackers. Where possible, add a firewall rule that blocks incoming traffic from unauthorised clients towards port 53/UDP (and port 53/TCP for good measure).
If your DNS server is used only by the machine on which you are running it, you can block external queries as follows:
iptables -A INPUT -p udp -m udp --dport 53 -i ! lo -j DROP
These iptables firewall rules will prohibit ANY excessive queries to a non-recursive DNS:
iptables -A INPUT -p udp -m udp --dport 53 \
-m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 \
-m recent --set --name dnsanyquery --rsource
iptables -A INPUT -p udp -m udp --dport 53 \
-m string—hex-string “|0000ff0001|”—algo bm—from 48—to 65535 \
-m recent—rcheck—seconds 60—hitcount 5—name dnsanyquery—rsource \
If you have run an open DNS resolver, you can limit the rate at which the server will accept queries:
iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip\
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
If your router is proxying DNS to an external IP, you will need to configure it.
- Login into the router as admin.
- Change the Network or Firewall settings.
An alternative is a factory reset the router and then reconfiguring the router with an admin password, wireless settings, and authentication credentials for your connection.