dns-operations AT lists.opennicproject.org
Subject: Dns-operations mailing list
List archive
- From: Stefan Sabolowitsch <Stefan.Sabolowitsch AT felten-group.com>
- To: "<dns-operations AT lists.opennicproject.org>" <dns-operations AT lists.opennicproject.org>
- Subject: [opennic-dns-operations] DNS Dampening, a modern Spamfilter for DNS Servers ?!
- Date: Wed, 28 Nov 2012 15:42:53 +0000
- Accept-language: de-DE, en-US
- Domainkey-signature: a=rsa-sha1; s=feltengroup_com; d=felten-group.com; c=simple; q=dns; h=from:message-id; b=g380If1B0E9QjNXmcqpowuZqCGVyeQTiKQMFkWuno9xBWxTdD/b2QK98Js2z nckLFxQ7//GpEe7iMQmPeFn2uftjTVekUQQZtZnee5ExhHOIoOghz3fEz mAVYhkn+Rq0ZW0Vgps6dROlGq8wJFzak0YeASu3wY8Bf0V2mVameB0=;
- Vbr-info: md=felten-group.com; mc=all; mv=vbr.emailcertification.org;
Hi all,
We all fight against dDOS, DOS to our DNS Server
short small example:
2-Nov-2012 07:45:58.339 client 184.168.72.113#39943 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 22-Nov-2012 07:45:58.453 client 93.170.127.96#46196 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 22-Nov-2012 07:45:58.661 client 93.170.127.96#14231 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 22-Nov-2012 07:46:00.065 client 184.168.72.113#12578 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 22-Nov-2012 07:46:01.696 client 93.170.127.96#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 22-Nov-2012 07:46:01.786 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 22-Nov-2012 07:46:03.075 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 22-Nov-2012 07:46:03.509 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
I found this nice patch from dns / dnssec Expert Lutz Donnerhacke here:
An this small Information on this List.
After this patch and with this Parameters in named.conf
dampening {
exempt-clients { 216.87.84.214;128.177.28.254;207.192.71.13;66.244.95.11;202.83.95.229;84.200.228.200;178.63.116.152;75.127.96.89; };
report-interval 60 ;
score-per-query 1 ;
score-first-query 10 ;
min-table-size 500 ;
max-table-size 1000 ;
limit-maximum 32000 ;
# limit-enable-dampening min. 0.3 from limit-maximum
limit-enable-dampening 16000 ;
# limit-disable-dampening min. 0.1 from limit-maximum or limit-enable-dampening
limit-disable-dampening 5100 ;
limit-irrelevant 150 ;
score-qtype-any 100 ;
score-duplicates 100 ;
IPv4-prefix-length 24 ;
IPv6-prefix-length 48 ;
};
now i found in named.log this new information:
27-Nov-2012 15:56:08.181 client 93.170.127.96#592 (isc.org): query:
isc.org IN ANY +ED (192.168.200.12) 15956
27-Nov-2012 15:56:08.181 93.170.127.0/24 dampening activated.
In the first Line at end, there is now the score value "15956"
In the second line you can see that this IP address /netblock in "Dampening" has come (limit-enable-dampening 16000).
After a week of testing, i can say it works very well.
I need no local firewall parameters or scripts to protect my test DNS server.
And here you can find all test, information about "DNS Dampening"
Perhaps this information is also interesting for other with DNS servers.
Regards
Stefan
- [opennic-dns-operations] DNS Dampening, a modern Spamfilter for DNS Servers ?!, Stefan Sabolowitsch, 11/28/2012
Archive powered by MHonArc 2.6.19.