• Advertisement
Join the IT Notebook

CentOS 5.x+ - Bind - DNS poisoning attack prevention

Any software title released with a GNU/Linux distribution. Articles are posted in "Linux Distribution - Software Title - Subject" format.

CentOS 5.x+ - Bind - DNS poisoning attack prevention

Postby lmmtux » Wed Aug 29, 2012 12:36 pm

DNS poisoning attacks are becoming more common. DNS servers that are publicly accessible can be discovered and sent bogus queries, which are resource intensive. The steps below help use iptables to throttle the incoming connections to a DNS server, and will greatly reduce the resources wasted (system resources and bandwidth) from a DNS poisoning attack.

Detection of an attack:

Normally events will show up in the /var/log/messages log file, similar to this:

Jul 29 04:46:40 nameserver2 named[2406]: client query (cache) 'dgtl.ws/TXT/IN' denied

This indicates a bogus query to the DNS server. Hundreds or more of these can show up every minute in the "messages" log file.

Attack prevention:

There is no complete prevention for a DNS server that needs to be public facing. But, measures can be taken to minimize the impact on the DNS server.

  1. Upgrade to the latest version of bind available. This can be done with these commands:
    • CentOS 5.x (using bind with chroot configuration) :
      Code: Select all
      yum erase bind
      yum install bind97 bind97-chroot bind97-libs
    • CentOS 5.x (using bind without chroot configuration) :
      Code: Select all
      yum erase bind
      yum install bind97 bind97-libs

      Note: If you are not sure if you are using bind with or without chroot configuration, check to see if the path "/var/named/chroot/" exists. If it does and it contains the "etc" and "var" directories, this means that you are using the chroot configuration. Otherwise, your Bind configuration files should be in the regular "/etc" and "/var" directories.
    • CentOS 6.x :
      Code: Select all
      yum upgrade bind
    • Ensure that bind is set to start automatically using the "ntsysv" utility, and that it's checked to start on boot.
  2. Throttle the incoming DNS traffic to the DNS server. This will greatly reduce the amount of resources these attacks can take up. These commands will effectively throttle incoming connections on the interface eth0 on the DNS server. These rules can be tweaked to fit your needs. The example rules below will drop connections once the threshold of 7 hits within 11 minutes is hit.
    Code: Select all
    iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update --seconds 660 --hitcount 7 --name DNSTHROTTLE --rsource -j DROP
    iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j ACCEPT --set --name DNSTHROTTLE --rsource

    Ensure these iptables rules run when the system boots. One method of doing this is to add these lines to the end of the file: /etc/rc.d/rc.local.
Posts: 55
Joined: Mon Jul 30, 2012 9:40 pm
Reputation: 0

Return to Linux