Skip to Content.
Sympa Menu

dns-operations - Re: [opennic-dns-operations] DNS Dampening, a modern Spamfilter for DNS Servers ?!

dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

Re: [opennic-dns-operations] DNS Dampening, a modern Spamfilter for DNS Servers ?!


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Sabolowitsch <Stefan.Sabolowitsch AT felten-group.com>
  • To: "<dns-operations AT lists.opennicproject.org>" <dns-operations AT lists.opennicproject.org>
  • Subject: Re: [opennic-dns-operations] DNS Dampening, a modern Spamfilter for DNS Servers ?!
  • Date: Thu, 6 Dec 2012 13:28:45 +0000
  • Accept-language: de-DE, en-US
  • Domainkey-signature: a=rsa-sha1; s=feltengroup_com; d=felten-group.com; c=simple; q=dns; h=from:message-id; b=JTJpguwz6AfOqnP1Zbf+jie93RckVHjJv1+YcSYxlIWLwyMdgQCGbPR8c7VS 0DaJJhMTWrDvUBBZJjsmx2M40PReRBkbhvoDo+n6n9ONqnoxAaZ3ci7Il NOS3+7TrGIqRaVvot36GncreVzHddIQc62OVHcwDrkT9tP7LQzEVto=;
  • Vbr-info: md=felten-group.com; mc=all; mv=vbr.emailcertification.org;
Hi all,
Got just a mail from Lutz Donnerhacke.
He wants to create the patches for all major versions 9.4, 9.7 and 9,8
I have to thank in name of all to him.

Regards
Stefan

Am 06.12.2012 um 05:34 schrieb Jeff Taylor <shdwdrgn AT sourpuss.net>:

Very nice find!  Did you happen to see any info about this being backported to older versions?  For most of us, our distro's stable version is still back in the 9.7 or even 9.4 series.  I'm honestly surprised it has taken this long to see a solution released for an issue that is obviously affecting a lot of network operations.

One case to consider - if you DO have a dedicated firewall, then the iptables solutions should still be used (at least for now).  Otherwise all that query data could flood your internal network before it gets squashed.


On 11/28/2012 08:42 AM, Stefan Sabolowitsch wrote:
Hi all,
We all fight against dDOS, DOS to our DNS Server

short small example:
2-Nov-2012 07:45:58.339 client 184.168.72.113#39943 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.453 client 93.170.127.96#46196 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.661 client 93.170.127.96#14231 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:00.065 client 184.168.72.113#12578 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.696 client 93.170.127.96#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.786 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.075 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.509 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

I found this nice patch from dns / dnssec Expert Lutz Donnerhacke here:

An this small Information on this List.


After this patch and with this Parameters in named.conf

       dampening {
                    exempt-clients { 216.87.84.214;128.177.28.254;207.192.71.13;66.244.95.11;202.83.95.229;84.200.228.200;178.63.116.152;75.127.96.89; };
                    report-interval 60 ;
                    score-per-query 1 ;
                    score-first-query 10 ;
                    min-table-size 500 ;
                    max-table-size 1000 ;
                    limit-maximum 32000 ;
                    # limit-enable-dampening min. 0.3 from limit-maximum
                    limit-enable-dampening 16000 ;
                    # limit-disable-dampening min. 0.1 from limit-maximum or limit-enable-dampening
                    limit-disable-dampening 5100 ;
                    limit-irrelevant 150 ;
                    score-qtype-any 100 ;
                    score-duplicates 100 ;
                    IPv4-prefix-length 24 ;
                    IPv6-prefix-length 48 ;
                   };
    
now i found in named.log this new information:

27-Nov-2012 15:56:08.181 client 93.170.127.96#592 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 15956
27-Nov-2012 15:56:08.181 93.170.127.0/24 dampening activated.

In the first Line at end, there is now the score value "15956"
In the second line you can see that this IP address /netblock in "Dampening" has come (limit-enable-dampening 16000).

After a week of testing, i can say it works very well.
I need no local firewall parameters or scripts to protect my test DNS server.

And here you can find all test, information about "DNS Dampening"


Perhaps this information is also interesting for other  with DNS servers.

Regards
Stefan 



Archive powered by MHonArc 2.6.19.

Top of Page