UPGRADE: DNS (BIND) service for Response Rate Limiting (RRL)

Environment

  • CentOS 5.x

Introduction

Firewall (WatchGuard) has “Default Packet Handling” already set, the same as:


However, there was public DNS service (DNS) continuously to have Denial of Service (DoS) and Distributed Denial of Service (DDoS) questions.

Also bind had already been the latest version from official source:
$ rpm -q --changelog bind

* Tue Jan 19 2016 Tomas Hozza - 30:9.3.6-25.P1.6
- Fix CVE-2015-8704

* Thu Sep 03 2015 Tomas Hozza - 30:9.3.6-25.P1.5
- Fix CVE-2015-8000

* Thu Sep 03 2015 Tomas Hozza - 30:9.3.6-25.P1.4
- Fix CVE-2015-5722

* Tue Jul 28 2015 Florian Weimer - 30:9.3.6-25.P1.3
- Fix CVE-2015-5477
- http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/ISC-Bind.html


Needed to upgrade bind for Response Rate Limiting (RRL). It serves as a mitigation tool for the problem of DNS amplification attacks.


Procedures

Snapshot the server (virtual machine)

Backup current config

Upgrade bind

Update /var/named/chroot/etc/named.conf for rate-limit
rate-limit {
          responses-per-second 10;
};


Build bind-9.10 packages

Build on CentOS 5.x directly:
# yum install rpm-build.x86_64
# yum install geoip python-argparse
# yum install libcap-devel docbook-style-xsl GeoIP-devel
# rpmbuild --rebuild --define 'dist .el5' bind-9.10.3-0.5.P4.fc21.src.rpm


Although 'dist .el5', installing a package built on CentOS 6.X, rpmbuild --rebuild --define 'dist .el5' bind-9.10.3-0.5.P4.fc21.src.rpm,  that will have failed dependencies -:
# rpm -Uvh bind-9.10.3-0.5.P4.el5.x86_64.rpm bind-chroot-9.10.3-0.5.P4.el5.x86_64.rpm bind-libs-9.10.3-0.5.P4.el5.x86_64.rpm bind-utils-9.10.3-0.5.P4.el5.x86_64.rpm

error: Failed dependencies:
   libcap.so.2()(64bit) is needed by bind-9.10.3-0.5.P4.el5.x86_64
   libcrypto.so.10()(64bit) is needed by bind-9.10.3-0.5.P4.el5.x86_64
   libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by bind-9.10.3-0.5.P4.el5.x86_64
   
   [...]


Packages installed:
libcap.x86_64                         1.10-26                          installed
libxml2.x86_64                  2.6.26-2.1.25.el5_11                   updates  
rpm-libs.x86_64                   4.4.2.3-36.el5_11                   installed

OK if build on CentOS 5.x directly


Upgrade bind

Original bind:
bind.x86_64                      30:9.3.6-25.P1.el5_11.6             
bind-chroot.x86_64               30:9.3.6-25.P1.el5_11.6
bind-libs.x86_64                 30:9.3.6-25.P1.el5_11.6
bind-utils.x86_64                30:9.3.6-25.P1.el5_11.6

Upgrade bind:
# yum install geoip python-argparse
# rpm -Uvh bind-9.10.3-0.5.P4.el5.x86_64.rpm bind-chroot-9.10.3-0.5.P4.el5.x86_64.rpm bind-libs-9.10.3-0.5.P4.el5.x86_64.rpm bind-utils-9.10.3-0.5.P4.el5.x86_64.rpm

NoteFor “geoip” & “python-argparse”, need +repolist - “Extra Packages for Enterprise Linux 5 - x86_64”


Create “data” folder if not have:
# mkdir /var/named/chroot/var/named/data
# chown named.named -R /var/named/chroot/var/named/data

As not have those files, copy them back - named.empty, named.loopack & named.localhost:
# cp /usr/share/doc/bind-9.10.3/sample/var/named/{named.localhost,named.empty,named.loopback} /var/named/chroot/var/named/


Set Response Rate Limiting (RRL)

Edit /var/named/chroot/etc/named.conf for RRL:
options {
  ...
  #any as public DNS
  allow-query {any; }

  // Disable recursion for DNS Amplification DDoS Attack
  //@ref http://www.team-cymru.org/Open-Resolver-Challenge.html
  //@ref https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
  recursion no;

 #@ref http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer
 # The default behaviour is to allow zone transfers to any host.
 # If have salve server, allow-transfer { ;};
 #
 allow-transfer {none;};

  rate-limit {
     responses-per-second 10;
     
     #Not log-only if test OK
     #log-only yes;
  };
};


Check configuration:
# named-checkconf /etc/named.conf

# named-checkconf -t /var/named/chroot/ /etc/named.conf

NoteIf there is no output, the configuration is considered correct and you can safely restart or reload bind configuration file. If there is an error it will be displayed on screen


Restart named service if test OK:
# service named reload


Read the log - “/var/named/chroot/var/named/data/named.run”, for example:
$ sudo tail -n 20 var/named/data/named.run
client 192.3.220.210#44884 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44887 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44886 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44888 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44890 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44891 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44889 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44894 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 159.122.221.35#42292 (isc.org): query (cache) 'isc.org/ANY/IN' denied
client 192.3.220.210#44893 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44892 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44895 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44896 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44897 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44898 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44900 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44899 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 179.43.141.194#54367 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
client 204.42.253.2#50856 (9b4f3f9b.openresolvertest.net): query (cache) '9b4f3f9b.openresolvertest.net/A/IN' denied
client 129.174.112.124#42206 (www.gmu.edu): query (cache) 'www.gmu.edu/A/IN' denied


References



Update