On 09/06/12 18:58, Kostas Zorbadelos wrote: >> Kostas Zorbadelos<[email protected]> writes: >> >>> there is a need to restrict a specific type of DNS queries (ANY queries) >>> in our nameservers. We faced a DDoS attack in our resolvers and the >>> thing is that we could not simply cut access to DNS resolution to >>> specific client IPs, the queries came from our own unsuspecting >>> customers. >>> > Ohh, they do and that is the problem. We can't just cut the > "offending" clients because they will have no Internet service :) Also > we do not accept packets with sources in our network ranges "from the > outside" in our border ACLs (I guess this is common antispoof practice).
Hi, My understanding so far is that the queries hit your DNS servers from your ISP network/clients and are not spoofed. Also those queries hit the recursive/caching DNS servers (open only to ISP network) and they are of type ANY for a specific domain (example.com). If this is true then why not try to 'filter' on the application layer than on the network? As far as I know BIND cannot block specific queries. You might want to check unbound and local-data. Maybe you could try some kind of DNS-proxy to filter out the unwanted queries, since there is a pattern. Check http://thesprawl.org/projects/dnschef/ (haven't tested it). Alternatively you would want to implement that pf helper/'proxy' as Henning suggested which without doubt would be faster but you have to develop it. Last, run the iptables matching filter on the DNS's firewall itself (if they run linux) and not on the external firewalls. good luck, Giannis
