Blocking DNS Recursion Attacks

The easiest way to do this is to have a properly configured bind setup, however if you want to still block these types of attacks before they hit your server you can simply add the following iptables rule to your pre-existing configuration. When a rogue server or user attempts to perform a DNS recursion exploit/attack they will be doing something similar to:

dig . NS @yourserver.com

Normally this will be reflected in your logs as:

Jan 01 dev named[23890]: client 127.0.0.1#65188: query (cache) './NS/IN' denied

If you see denied that is a good thing however these attempts can still quickly fill your logs. So with that said this iptables rule will help give you peace of mind and smaller log files:

iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP

Once you have this rule in place run “dig . NS @yourserver.com” to test. Enjoy.

Blocking DNS Recursion Attacks

Archives

Friends

Contact

Tags