DoS Attack Against Bind

Discussion in 'Tips/Tricks/Mods' started by supanatral, Apr 23, 2013.

  1. supanatral

    supanatral Member

    First and foremost, my ISPConfig server was setup exactly as shown in this tutorial: Perfect Server

    For the past 36 hours, my ISPConfig server has been up and down like a basketball for no apparent reason. The server never restarted, no services failed, no logs that stood out to me, etc, etc.

    After looking at our firewall, I found that there was a continuous 5mbps upload for DNS traffic alone!!

    Many hours later, I found out that my DNS server had the "recursion" option enabled which allowed anyone in the world to use my DNS server to lookup any website it pleased rather then only responding to the DNS zones that I personally host.

    After I disabled recursion, I found that the "/var/log/messages" log file being inundated with lines that show the following:
    I realized very quickly that I was receiving anywhere between 100-750 DNS queries every second!! After much more research, I finally configured the application fail2ban to watch my DNS logs and ban any IP address after 3 failed DNS queries for a period of 5 minutes.

    How is how I did it:

    Disabling Recursion

    First thing I found was that by default, recursion was enable on the bind server. I turned this off by editing the file /etc/named.conf:

    Configuring Fail2Ban
    Firstly, make the bind log file
    Next, edit /etc/named.conf and edit the logging options to show the following:

    Restart Bind using:
    OK, now to set up fail2ban. Edit the /etc/fail2ban/jail.conf file and change from:
    and from:
    Then restart fail2ban in the usual manner,

    Last edited: Apr 23, 2013
    borekon likes this.
  2. SunnyD

    SunnyD New Member

    While it's unlikely as a whole, with such a low threshold (3 failed queries in 5 minutes) especially if you host multiple domains, you could very well be blacklisting legitimate addresses.

    Using a higher threshold (20 failed queries in 5 minutes for example) would be more than sufficient to block those that were using your previously open DNS resolver for DoS reflection purposes.
  3. supanatral

    supanatral Member

    Good call SunnyD.

    The only other thing to be mindful of is whether or not the network firewall can handle the load. Although this significantly decreased the server load by performing the steps above, the DNS connections still needed to pass through the hardware firewall before the connection was passed onto the ISPConfig server and finally rejected by iptables.

Share This Page