Sysadmin: block these pesky recursive DNS queries with iptables rate limiting rules

dns-reflectIf you are managing Linux server you have probably heard about recent DNS amplification attacks that were using misconfigured DNS servers.

Your server were not misconfigured and still you see a lot of denied queries in your /var/log/messages where somebody is trying to use your DNS server to flood somebody else. In this case it will be “denied” packet and it will still go to the flood target, not to mention flooding your syslog messages log and steal bandwidth from your server.
I’ve found some working solution of this problem on the Internet and put together small shell script to test and use it

There is a room for adjustment for you particular case – seconds is the measurement interval and hitcount – number of queries you allow to reach your server – all other packets from IPs that are over the threshold will be dropped.
I’ve found 1 packet in 10 seconds sufficient to cover most cases.
If you want to have this rules installed on system boot you will need to consult your Linux distro documentation.
For Centos/RHEL it’s relatively easy:
root# iptables-save > /etc/sysconfig/iptables

  1. cant see anything after –hex-strin, for some reason it cant be scrolled

    • Thank you for noticing it – it should be ok now, looks like html minify broke the css.

  2. This solution does not work. queries still come trough.

    • It does not block all requests – just reduces the number of recursive requests. Use tcpdump to see what kind of requests are getting. Put allow-recursion {localnets; }; into your named.conf options section too.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">