Re: Is it po-ssible to block all ANY queries?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: Is it po-ssible to block all ANY queries?


First of all, we need to have a look to the hexadecimal values of a DNS ANY query packet. Below it is reported an example of a DNS query for - ANY

21:45:17.159364 00:0f:34:ac:fa:49 > d0:50:99:53:f2:fc, ethertype IPv4 (0x0800),                                                                                                                                                              length 76: > 29319+ ANY? (34)

        0x0000:  4500 003e d702 0000 4011 36ef c0a8 0002  E..>....@.6.....

        0x0010:  ac10 0003 ac08 0035 002a 7d19 7287 0100  .......5.*}.r...

        0x0020:  0001 0000 0000 0000 0377 7777 0866 6163  .........www.fac

        0x0030:  6562 6f6f 6b03 636f 6d00 00ff 0001     

Analyzing the hexadecimal of the trace, at the end of the packet  we can notice the value 0x00ff0001 (corresponding to “.....  ASCI) that identifies the DNS query as type ANY. Thanks to that, iptables can analyze each DNS query packet, identifies those that are DNS query of type equal to ANY, have memory of the IP source that sends the ANY request, and temporary restrict the number of DNS ANY query for that specific IP address for a period of time.

Let’s analyze and explain the iptables rules deployed on DNS Server:

iptables -I INPUT 4 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm -m recent --set --name dnsanyquery –rsource

iptables -I INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery --rsource -j DROP

First rule - from left to right:

iptables -I INPUT 4 -->  configure an iptables rules on INPUT chain and place it on position 4 of the ACL

-p udp –dport 53 -->  take in account UDP packet with destination port number 53

-m string --> use the iptables-extension module called “string”

--hex-string "|0000ff0001|" --> The string to be matched inside the packet must correspond is the hexadecimal value of “0000ff0001” (that correspond at ANY DNS query type on the above tcpdump trace)

--algo bm --> At those packets that match the above values, apply the Boyer-Moore algorithm

-m recent --> Apply a second iptables-extension module called recent. Recent module allows to dynamically create a list of IP addresses and then match against that list in a few different ways. For example, you can create a "badguy" list out of people attempting to connect to port xyz on your firewall and then DROP all future packets from them without considering them.

--set --name dnsanyquery --> At those packets, apply a list named dnsanyquery

–rsource --> In dnsanyquery list save the source IP address for those packets that match the above rules


Second rule – The first part is the same of the first rule (iptables -I INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm -m recent)

--rcheck --> Check if the source address of the packet is currently in the list (dnsanyquery)

--seconds 60 ->  This will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds (60 seconds in this rule)

--hitcount 5 -> This will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value (5 hits in this rule)

name dnsanyquery –rsource ->  Same meaning of the first rule

-j DROP -> Drop the packets that match the value described in this iptable rule.

Thanks to a bash script, we can convert the raw data of dnsanyquery list and find out which IP address (and when) sent more than 5 ANY queries in less than 60 seconds

root@banana:/etc/my_scripts# ./ Sep 29 22:36:15 BST 2015

2015-12-17 0:33 GMT+00:00 Josh Sanders <[hidden email]>:
Hello, Could you point me out in the right direction with a tutorial or example about?
Thank you for your reply

On Wed, Dec 16, 2015 at 5:11 PM, Federico Olivieri <[hidden email]> wrote:

Hi, have you tried with iptables? You can  set the max ANY quries for IP and track the IP that ask for the ANY query

On 16 Dec 2015 22:05, "Josh Sanders" <[hidden email]> wrote:

I just set up PowerDNS and it works faultlessly: pdns-static_3.4.7-1_amd64.deb

But It keeps receiving  100s of ANY queries.

PowerDNS/Bind Backend has zone: but It keeps receiving  ANY queries like those:

Remote wants '|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote wants '|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote wants '|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote wants '|ANY', do = 0, bufsize = 1680: packetcache MISS

I know how to block those ips with fail2ban but I would not like to have 100s of iptables rules.

Is there a way to block ANY queries?

I mean like CloudFlare does: Please stop asking for ANY / See draft-jabley-dnsop-refuse-any

Also, I tried any-to-tcp=yes but it seems not working.


Pdns-users mailing list
[hidden email]

Pdns-users mailing list
[hidden email]