How to Limit DNS Request per ip source ?

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jan 14 13:30:10 UTC 2013 

On Mon, Jan 14, 2013 at 06:36:44PM +0530,
 Gaurav Kansal <gaurav.kansal at nic.in> wrote 
 a message of 156 lines which said:

> I tried the following commands, but unfortunately didn't succeed. 

Why do you want to limit? If it is against a DoS attack, I warn you
that most Netfilter modules (for instance, "state") require allocating
a state on the firewall and a clever attack can fill the memory of the
machine.

> If anyone is using iptables for limiting DNS Query per IP, 

If you have a DNS server used for reflection+amplification attacks
*and* it is a Linux machine *and* you have Netfilter >= 1.4 *and* you
cannot or does not want to install the patches for BIND or NSD to do
rate-limiting (they may provide a better result) *and* the attack is
over IPv4 *and* the attacker uses only a few domain names, you could
be interested in the technique we use. Disclaimer: it works for us, it
will not work for ever, it works now.

The idea is to use the Netfilter u32 module to recognize the attack,
then to rate-limit it with the Netfilter hashlimit module.

First, get the iptables rules generation script
<http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py>.

Then, look at the traffic so see the pattern: what query type
(typically ANY), what query domain name, etc. In the examples, we'll
assume QTYPE=ANY, QNAME=example.net.

Then, generate the Netfilter rule:

iptables -A INPUT -p udp --dport 53 -m u32 \
     --u32 $(python generate-netfilter-u32-dns-rule.py --qname example.net --qtype ANY) -j RATELIMITER

The RATELIMITER chain can be:

iptables -A RATELIMITER -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

or you can replace -j RATELIMITER by -j DROP of you want to be
radical.

There are more options in the generate-netfilter-u32-dns-rule.py
script, such as --bufsize=NNN if the attacker uses a fixed EDNS buffer
size (some do).

There are several ways for the attacker to work around this technique
(some obvious and some not so obvious). But my point is that it works
*today*, with *actual* attacks. So, it definitely helps but keep your
eyes open, have alternative solutions in place and do not put all your
eggs in one basket

More details (only in French) at
<http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>
and <http://www.bortzmeyer.org/dns-netfilter-u32.html>

More information about the bind-users mailing list