DDoS against DNS-Servers

Bastian Blank - Sun 17 June 2012

Today I found out that the DNS-Server at home is used for a DDoS against a DNS-Server. The attackers send a small query, "ripe.net ANY" in this case, with a faked sender IP. The DNS-Server answers with a much larger packet to the (faked) sender.

Because the domain is not local, the nameserver should have only produced an error. But the bind-config allowed everyone to get answers to cached answers:

allow-query-cache { 0.0.0.0/0; ::/0; };

With proper restriction, the server only returns errors now.

Restricting answer for cached entries does not help if the queried nameserver is authoritative for the domain. In this case it can help to drop queries for the ANY type. In ferm this looks like this:

proto udp dport domain mod string from 40 algo bm hex-string '|0000ff0001|' DROP;