Limiting DNS queries with iptables recent, bad idea?

drzigman · 08-12-2009, 12:32 AM

Greetings!

I have written a chain that looks like this:

Code:

################
## BIND Rules ##
################
iptables -N bind
iptables -A bind --source 127.0.0.1 -j ACCEPT
iptables -A bind -m state --state NEW -m recent --set --name BIND
iptables -A bind -m state --state NEW -m recent --update --seconds 5 --hitcount 3 --name BIND -m limit --limit 1/minute -j LOG --log-prefix "BIND-ATTACK    " --log-level 5
iptables -A bind -m state --state NEW -m recent --update --seconds 5 --hitcount 3 --name BIND -j DROP

Now here is my question. Is this a bad idea? Should I not be limiting requests coming into bind for a server being used to host multiple (300+) websites? Or is my limit simply too low? The reason I ask is before I limited the logging to 1/minute I was getting literally TONS of BIND-ATTACK messages causing me to believe that possibly valid DNS requests are being refused.

I'm just trying to get some other people's opinions on doing something like this and I am very much appreciative of any thoughts or advice anyone can provide.

Thank you for taking the time to read through this!

kbp · 08-12-2009, 12:49 AM

Hi drzigman,

A firewall ruleset wouldn't be my first port of call, it will reduce the load on your dns server but won't resolve the problem and may even make it worse. What sort of troubleshooting have you already performed ? A few things you might want to check -

Is your bind server actually struggling with the load?

Try turning query logging on temporarily to determine what sort of dns requests you are receiving and whether they are valid or actually an attack.

If the requests are valid, what are your TTL's set to for the zones? ... maybe they're too low..

good luck..

kbp

drzigman · 08-12-2009, 12:33 PM

Thank you for your response!

I'm not actually having any problems at the moment, I'm simply trying to create my firewall to prevent against random intrusion/denial of service attacks. Most of the other services (ftp, ssh, smtp, etc etc) I have a very clear head about but DNS is giving me a bit of trouble.

The bind server is not at all struggling with load. While I may not *need* to protect the service I figure, why not since I'm writing rules for everything else?

The majority of the errant DNS requests I see hitting the log files are lame servers. No valid requests are being blocked at this point (as far as I can tell) but I do believe I'll turn on my verbose debugging to watch exactly what the requests are.

TTL's are 24 hours which should suite me fine.

If the query logging turns up anything interesting I'll be sure to share!