Prevent DoS Attacks Via DNS (BIND)

A malformed UDP packet to your DNS server can cause it to respond to an IP address that never made the request (with the response being being more bytes than the request). So someone malicious could use one of your name servers to throw unwanted traffic at a 3rd IP address. Annoying… but pretty easy to solve. You can setup BIND to only answer DNS queries that it’s authoritative for except for specific blocks of IPs which it will do recursive lookups for (basically internal IPs that could use the DNS server as it’s name server for lookups).

Besides your server becoming part of a DoS attack, it can suck a ton of your own bandwidth (I was seeing cases where short-lived attacks were saturating 3Mbit worth of my bandwidth). Not any more! 🙂 I figured out what was causing the bandwidth spikes with my friend, tcpdump.

I’m too tired to get into more details (that’s what Google is good for), but you can basically add something along these lines to your /etc/named.conf file:

allow-recursion {;;};

That will ignore DNS requests from any IP (except those 2 subnets) when the IP makes a request about any domain that the DNS server not an authoritative server for.

One thought on “Prevent DoS Attacks Via DNS (BIND)”

Leave a Reply

Your email address will not be published. Required fields are marked *