Hi,
Im wondering how Unbound users are handling DGA and DGA like attacks.
Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients.
Anyone experienced this kind of attack before ? if so, how do you protect your servers against it ? is there something Unbound can do ?
Block those IPs that are obviously p4wned until they clean up their PCs?
It’s no easy to block my clients and ask them to clean up their machines.
They will switch to another service instead of cleaning.
Hi,
generally speaking 20 % of NXDOMAIN (or even more) is about normal
pattern we see in normal traffic.
Blame Google Chrome and the like, they use it do detect DNS hijacking.
Aggressive use of DNSSEC-validated cache will help for signed zones but
there is no real 'solution' except fixing clients.
If you want to protect your own zone, sign it using DNSSEC. More numbers
can be found in following presentation:
https://indico.dns-oarc.net/event/28/session/11/contribution/40/material/slides/0.pdf
Petr Špaček @ CZ.NIC
the source addresses are forged. the victims are not unclean in any way. this is why rrl exists.
rrl can help. it has a separate quota for negative responses, usually on a source /24 basis that is narrow enough to encompass specific reflection victims.
re:
the source addresses are forged. the victims are not unclean in any way. this is why rrl exists.
-- P Vixie
Sorry.
We „know“ our clients, mostly.
Obviously, we’re a smaller shop.
Most people using our resolvers use our CPE, our lines, our servers….
And the rest doesn’t even have access.
Obviously, Mahdi is running a a shop that is a bit larger than ours.
Rainer Duffner wrote:
<mailto:paul@redbarn.org>>:
the source addresses are forged. the victims are not unclean in any
way. this is why rrl exists.
...
Most people using our resolvers use our CPE, our lines, our servers….
And the rest doesn’t even have access.Obviously, Mahdi is running a a shop that is a bit larger than ours.
if they are real clients beating you to death with junk queries that all return nxdomain, you can still win with rrl. less frequent nxdomain responses will cause the apps to get less work done because they are waiting on you. thus it will slow the rate of junk queries.
this is exactly the problem that makes me recommend running a local rdns on every LAN, or at least every house/building/campus, and in my case, on every laptop. i need fast negative responses and i don't want to pay in upstream bandwidth, or work flow delay, to get them.
I drop queries in firewall by string.
#/sbin/iptables -A DNS -m string --algo bm --hex-string
'|04|wpad|06|domain|04|name|' --to 255 -j DROP -m comment --comment
"DROP wpad.domain.name"
Thank you all for your response,
Hi Mahdi,
This may not be what you are looking for but the just released
aggressive-nsec: yes option uses DNSSEC aggressive NSEC processing to
cache more NXDOMAINs per upstream lookup, and more quickly respond to
NXDOMAINs, resulting in less upstream traffic and less load on the
server for NXDOMAINS.
Best regards, Wouter
unbound has a bunch of ratelimit options that may help you out.