How to Protect an open DNS resolver
Go to solution
Solved by BuckGup,
You want to set rate limits on your DNS something like this https://gist.github.com/tuklusan/f71e01fd6cac0219fe0b91afbfc91858
# Rate Limit TCP DNS connections #------------------------------------------ -A INPUT -p tcp --dport 53 -m state --state NEW -m hashlimit --hashlimit 10/sec --hashlimit-mode srcip --hashlimit-burst 20 --hashlimit-name test -j ACCEPT -A INPUT -p tcp --dport 53 -m state --state NEW -j REJECT #-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT #------------------------------------------ # Rate Limit UDP DNS connections # Poor Man's Anti-DNS Amplification Attack # Ref: http://www.iplux.net/2015/01/17/Blocking-DNS-Amplification-attacks #------------------------------------------ -A INPUT -p udp -m udp --dport 53 -m limit --limit 10/sec -j LOG --log-prefix "fw-dns " --log-level 7 #-A INPUT -p udp -m udp --dport 53 -j ACCEPT
Here is a more streamlined version checking the hex code
https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now