Networking HowTos
Networking HowTos

Prevent DNS Amplification Attacks with BIND

August 5, 2013 Linux

DNS amplification attacks are a common form of DDoS that makes used of misconfigured DNS servers on the internet. The attack involves sending a request to the misconfigured DNS server, with a spoofed source IP address, so the response goes back to a third party (the target/victim). The attacker will use the largest DNS query possible, so that more data is sent to the target IP address, flooding their connection. To help prevent these attacks, always make sure your DNS servers are set up to block recursive queries from the general public.
Restrict recursion to authorized networks:
Edit the bind configuration file (usually named.conf), and set up a new ACL. Specify the networks you wish to allow recursion.
Eg:

acl internalnetworks {
    127.0.0.1/32;
    192.168.0.0/24;
    10.0.0.0/8;
};

In this example, we are allowing 127.0.0.1, 192.168.0.0/24 and 10.0.0.0/8.
Once done, set up the options section to allow recursion only from the ACL set up above.

options {
    allow-query {
        any;
    };
    allow-recursion {
        internalnetworks;
    };
};

Save the file, and restart BIND to make these changes take affect.

You Might Also Like