Popisu obranu proti utoku, ktery jsem nahodou dnes v noci detekoval.

Priznaky:

Me konkretne chybela options “recursion no”. Chybne jsem se domnival, ze vyrazenim povoleni rekurze je tato vyrazena. Neni.

 //       allow-recursion { any; };

Je treba napsat explicitne recursion no;

Logovani kvuli obrovskemu toku dat je treba presmerovat jinam. Navic se tim zbytecne nebude vycerpavat kapacita na centralnim remote-log serveru, kam se vsechny syslogy on-line posilaji.

logging {
     category lame-servers { null; };

     channel security_file {
         file "/var/log/named/security.log" versions 3 size 30m;
         severity dynamic;
         print-time yes;
     };
     category security {
         security_file;
     };
};

Toto byl prvni krok k uspechu.

Druhy krok k uspechu

Priznaky utoku:

Jun  6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun  6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun  6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun  6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun  6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun  6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied

zde opet perfektne zafunguje fail2ban s timto nastavenim:

[named-refused-udp]
 
enabled  = true
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log
 
[named-refused-tcp]
 
enabled  = true
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Po chvili se ve vypisu iptables zacne objevovat tucny seznam podobny tomuto:

dns:/etc/fail2ban# iptables -L -n
[...]
Chain fail2ban-named-refused-udp (1 references)
target     prot opt source               destination         
DROP       all  --  24.131.123.64        0.0.0.0/0           
DROP       all  --  69.246.154.178       0.0.0.0/0           
DROP       all  --  64.120.30.66         0.0.0.0/0           
DROP       all  --  76.186.226.253       0.0.0.0/0           
DROP       all  --  82.11.150.206        0.0.0.0/0           
DROP       all  --  142.136.203.131      0.0.0.0/0           
DROP       all  --  64.31.23.230         0.0.0.0/0           
DROP       all  --  185.5.174.200        0.0.0.0/0           
DROP       all  --  67.167.168.119       0.0.0.0/0           
DROP       all  --  50.23.74.93          0.0.0.0/0           
DROP       all  --  201.124.46.222       0.0.0.0/0           
DROP       all  --  24.189.209.41        0.0.0.0/0           
DROP       all  --  81.2.197.157         0.0.0.0/0           
DROP       all  --  37.5.92.17           0.0.0.0/0           
DROP       all  --  65.128.26.184        0.0.0.0/0           
DROP       all  --  68.55.173.3          0.0.0.0/0           
DROP       all  --  184.61.247.204       0.0.0.0/0           
DROP       all  --  99.233.205.66        0.0.0.0/0           
DROP       all  --  77.96.105.112        0.0.0.0/0           
DROP       all  --  189.228.237.69       0.0.0.0/0           
DROP       all  --  200.147.38.48        0.0.0.0/0           
DROP       all  --  200.221.11.116       0.0.0.0/0           
DROP       all  --  200.147.38.49        0.0.0.0/0           
DROP       all  --  200.147.6.35         0.0.0.0/0           
DROP       all  --  208.115.222.253      0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0    

Bind9 notify

Bind DNS sends notify to all name servers expect itself and master nameserver in SOA.

  notify yes;

sends notify to all name servers in RR (except itself and SOA master)

  notify yes;
  also-notify { x.x.x.x; y.y.y.y; };

sends notify to x.x.x.x, y.y.y.y and all name servers in RR (except itself and SOA master).

  notify explicit;
  also-notify { x.x.x.x; y.y.y.y; };

sends notify to just x.x.x.x, y.y.y.y

Upozorneni: takto nastaveny bind+fail2ban muze zpusobit DoS vlastniho serveru. UDP packety mohou prichazet s podvrzenou zdrojovou IP.