Tags

, ,

It’s always recommend to secure your DNS (BIND) and close those Open Resolver. These Open Resolver are used to initiate large scale DDoS attack. I use BIND templates (http://www.cymru.com/Documents/secure-bind-template.html) from Team Cymru site for securing my DNS. Lets have a look what happen if I don’t secure my DNS.

To track my DNS query I have configured bindgraph. Bellow is the output:

image


Usually I have 20/25 queries/second. But there are few spikes where I have 70 queries/second and most of them are ANY query. When I check my DNS query log what I get is really interesting:

04-Aug-2013 14:03:29.694 queries: client 83.69.230.xxx#10962: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.696 queries: client 83.69.230.xxx#31090: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.761 queries: client 83.69.230.xxx#49009: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.761 queries: client 83.69.230.xxx#8803: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.761 queries: client 83.69.230.xxx#34494: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.826 queries: client 83.69.230.xxx#43246: view external: query: ietf.org IN ANY +E (103.12.179.12)

Source 83.69.230.xxx is querying for ietf.org ANY and sending huge request. Average DNS query size is 64 bytes but if we look at the response it is 4628 bytes. That mean 83.69.230.xxx is amplifying the request by roughly 73 times.

image

So 83.69.230.xxx can launch 1Mbps of DNS query, he can amplify it by 73 times and can send 75Mbps of traffic to ietf.org. Really impressive. That’s why it’s important to secure your DNS.