0

Debugging a DNSmasq server using it's logs, I find a LOT of:

dnsmasq: query[ANY] . from RANDOM-IP
dnsmasq: query[ANY] . from RANDOM-IP
dnsmasq: query[ANY] . from RANDOM-IP
dnsmasq: query[ANY] . from RANDOM-IP

All legitimate queries seem to be more specific, like:

dnsmasq: query[A] specificdomain.com from KNOWN-IP

EDIT: This is NOT intended as a public DNS service

We want to create a white-list DNS filter, it should ONLY answer to a list of specified domains. Typical amplification attacks would only affect our server, nobody else. We just want a cleaner log to be able to operate better.

The intended operation is:

  • Client uses this DNS for their internet connection.
  • Client requests domain resolution
  • If the domain is in the white-list, we resolve, if not, we don't reply.

How can we achieve this? Only process request that match our white-list, discard anything else.

mencargo
  • 1

2 Answers2

1

. ANY is a well-known query that requests all record types in cache that are associated with the root node (AKA .) of DNS. In high volume this assuredly an indicator of malicious behavior. Unfortunately, these queries are almost certainly UDP, and the source IP is the spoofed source address of the victim.

This problem needs to be addressed by identifying why malicious entities are able to make these requests against your server, and not by blocking the query itself. The attackers can just as easily leverage any number of requests known to return large result sets, some of which do not use the record type ANY at all.

In most cases, this is an indicator that you are running an open resolver. Your first priority should be to confirm this and close the security vulnerability. If you are not an open resolver, there is an infected device on your network. This becomes harder to track as you need to trace the MAC address one hop at a time back to the origin device.

Andrew B
  • 33,868
0

Although, as pointed out by Andrew, there are many security concerns about a DNS service in a public IP, the solution was the following iptables rule:

iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|0000ff|" --algo bm -j DROP

That specifically drops that query.

mencargo
  • 1