danb1 Absent Member.
Absent Member.
1077 views

DNS Recursive rate limit

Hello.
We are running latest OES 11 SP3 fully patched.
We are using the novel-named DNS service running on 2 servers.
They are set as authoritative servers for our inside subnets and we have 2 of our isp's dns servers set in the forwarding list.
We have recursive set to the defaults. On and 1000 clients.

Ok so now to the issue we are having.
We have had a problem with all of a sudden losing connection to the internet. It has only happened a few times but we are pretty sure what is causing it.
Digging through the named log file we see recursive clients has reached the 1000 limit when the issue happens. I know we can bump this limit up but I don't think that will be the fix to the problem we are seeing.

We believe what is happening is a DNS Amplification attack. When this attack happens it quickly eats up the recursion client limit and then kills DNS.
We are 100% sure this is the issue because we were able to attack our own server and we saw the recursion client limit hit the 1000 limit pretty quickly and down goes DNS.

So the question is what is the best way to stop this from happening?
I think a rate limit could be implemented to stop this but I can't find a setting like that in the DNS-DHCP console.
We tried adding a rate limit by editing the named.conf file but either we added it wrong or it just doesn't work with the novell-named service.

Thanks in advanced for any help and/or suggestions.
Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: DNS Recursive rate limit

In article <danb1.88ocnb@no-mx.forums.microfocus.com>, Danb1 wrote:
> We are running latest OES 11 SP3 fully patched.
> We are using the novel-named DNS service running on 2 servers.


But are they accessible to the outside? If so please block that as
soon as you can. Open recursive DNS is a dangerous game to play if you
weren't going full in on all the active defence that you would need.
So Recursive or open to the outside, just not both.
Your best bet is to block it at your firewall.

Using an open recursive DNS for an amplification attack is just one of
the bad things such a DNS can be used for.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
danb1 Absent Member.
Absent Member.

Re: DNS Recursive rate limit

We don't have them accessible to the outside.
We are pretty sure the few times this has happened that it actually came from inside our network.
When we attacked our server we had done it from inside our network.
Our end goal is to stop this DNS Amplification attack from a subnet on our network that needs access to our DNS server.
It's tough to track down who is doing this because they are spoofing the DNS server and the attack appears to be from the server ip.

Thank you for the reply!
0 Likes
Knowledge Partner
Knowledge Partner

Re: DNS Recursive rate limit

danb1 wrote:

> It's tough to track down who is doing this because they are spoofing
> the DNS server and the attack appears to be from the server ip.


Have you done a packet trace?

You should be able to isolate the MAC Address of the offender.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: DNS Recursive rate limit

On 28.11.2017 15:44, danb1 wrote:
>
> Hello.
> We are running latest OES 11 SP3 fully patched.
> We are using the novel-named DNS service running on 2 servers.
> They are set as authoritative servers for our inside subnets and we have
> 2 of our isp's dns servers set in the forwarding list.
> We have recursive set to the defaults. On and 1000 clients.
>
> Ok so now to the issue we are having.
> We have had a problem with all of a sudden losing connection to the
> internet. It has only happened a few times but we are pretty sure what
> is causing it.
> Digging through the named log file we see recursive clients has reached
> the 1000 limit when the issue happens. I know we can bump this limit up
> but I don't think that will be the fix to the problem we are seeing.
>
> We believe what is happening is a DNS Amplification attack. When this
> attack happens it quickly eats up the recursion client limit and then
> kills DNS.
> We are 100% sure this is the issue because we were able to attack our
> own server and we saw the recursion client limit hit the 1000 limit
> pretty quickly and down goes DNS.
>
> So the question is what is the best way to stop this from happening?
> I think a rate limit could be implemented to stop this but I can't find
> a setting like that in the DNS-DHCP console.
> We tried adding a rate limit by editing the named.conf file but either
> we added it wrong or it just doesn't work with the novell-named
> service.


1. You can't edit named.conf in novell DNS, it retrieves it's
configuration from eDirectory, not from conf files. To add options to
it, you have to configure them in eDirectory. Generally spoken, you can
manualyl add some more options than are visible in the dns-dhcp console
by default.

2. This is IMHO the wrong way to attack this. Allowing this to happen in
an internal network and fighting the symptom is just wrong. You have
much more serious problems than a DNS attack when this happens internally.

3. I actually doubt that it's a deliberate attack, based on your
statement someon would spoof the DNS Server IP. IP Spoofing is
*extremely* complex and unlikely, even in a UDP based service. I rather
suspect some configuration issue somewhere, or a broken service on the
DNS server itself.

Personally, I would setup Lan traces and detailed logging on the DNS
server, to see who request what exactly there.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.