UPGRADE: DNS (BIND) service for Response Rate Limiting (RRL)
Environment
- CentOS 5.x
Introduction
Firewall (WatchGuard) has “Default Packet Handling” already set, the same as:
However, there was public DNS service (DNS) continuously to have Denial of Service (DoS) and Distributed Denial of Service (DDoS) questions.
Also bind had already been the latest version from official source:
$ rpm -q --changelog bind
* Tue Jan 19 2016 Tomas Hozza
- Fix CVE-2015-8704
* Thu Sep 03 2015 Tomas Hozza
- Fix CVE-2015-8000
* Thu Sep 03 2015 Tomas Hozza
- Fix CVE-2015-5722
* Tue Jul 28 2015 Florian Weimer
- Fix CVE-2015-5477
|
Needed to upgrade bind for Response Rate Limiting (RRL). It serves as a mitigation tool for the problem of DNS amplification attacks.
Procedures
Snapshot the server (virtual machine)
Backup current config
Upgrade bind
Update /var/named/chroot/etc/named.conf for rate-limit
rate-limit {
responses-per-second 10;
};
|
Build bind-9.10 packages
Build on CentOS 5.x directly:
# yum install rpm-build.x86_64
# yum install geoip python-argparse
# yum install libcap-devel docbook-style-xsl GeoIP-devel
# rpmbuild --rebuild --define 'dist .el5' bind-9.10.3-0.5.P4.fc21.src.rpm
|
Although 'dist .el5', installing a package built on CentOS 6.X, rpmbuild --rebuild --define 'dist .el5' bind-9.10.3-0.5.P4.fc21.src.rpm, that will have failed dependencies -:
# rpm -Uvh bind-9.10.3-0.5.P4.el5.x86_64.rpm bind-chroot-9.10.3-0.5.P4.el5.x86_64.rpm bind-libs-9.10.3-0.5.P4.el5.x86_64.rpm bind-utils-9.10.3-0.5.P4.el5.x86_64.rpm
error: Failed dependencies:
libcap.so.2()(64bit) is needed by bind-9.10.3-0.5.P4.el5.x86_64
libcrypto.so.10()(64bit) is needed by bind-9.10.3-0.5.P4.el5.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by bind-9.10.3-0.5.P4.el5.x86_64
[...]
|
Packages installed:
libcap.x86_64 1.10-26 installed
libxml2.x86_64 2.6.26-2.1.25.el5_11 updates
rpm-libs.x86_64 4.4.2.3-36.el5_11 installed
|
OK if build on CentOS 5.x directly
Upgrade bind
Original bind:
bind.x86_64 30:9.3.6-25.P1.el5_11.6
bind-chroot.x86_64 30:9.3.6-25.P1.el5_11.6
bind-libs.x86_64 30:9.3.6-25.P1.el5_11.6
bind-utils.x86_64 30:9.3.6-25.P1.el5_11.6
|
Upgrade bind:
# yum install geoip python-argparse
# rpm -Uvh bind-9.10.3-0.5.P4.el5.x86_64.rpm bind-chroot-9.10.3-0.5.P4.el5.x86_64.rpm bind-libs-9.10.3-0.5.P4.el5.x86_64.rpm bind-utils-9.10.3-0.5.P4.el5.x86_64.rpm
|
 For “geoip” & “python-argparse”, need +repolist - “Extra Packages for Enterprise Linux 5 - x86_64” |
Create “data” folder if not have:
# mkdir /var/named/chroot/var/named/data
# chown named.named -R /var/named/chroot/var/named/data
|
As not have those files, copy them back - named.empty, named.loopack & named.localhost:
# cp /usr/share/doc/bind-9.10.3/sample/var/named/{named.localhost,named.empty,named.loopback} /var/named/chroot/var/named/
|
Set Response Rate Limiting (RRL)
Edit /var/named/chroot/etc/named.conf for RRL:
options {
...
#any as public DNS
allow-query {any; }
// Disable recursion for DNS Amplification DDoS Attack
//@ref http://www.team-cymru.org/Open-Resolver-Challenge.html
//@ref https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
recursion no;
#@ref http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer
# The default behaviour is to allow zone transfers to any host.
# If have salve server, allow-transfer {
#
allow-transfer {none;};
rate-limit {
responses-per-second 10;
#Not log-only if test OK
#log-only yes;
};
};
|
Check configuration:
# named-checkconf /etc/named.conf
# named-checkconf -t /var/named/chroot/ /etc/named.conf
|
| If there is no output, the configuration is considered correct and you can safely restart or reload bind configuration file. If there is an error it will be displayed on screen |
Restart named service if test OK:
# service named reload
|
Read the log - “/var/named/chroot/var/named/data/named.run”, for example:
$ sudo tail -n 20 var/named/data/named.run
client 192.3.220.210#44884 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44887 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44886 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44888 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44890 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44891 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44889 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44894 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 159.122.221.35#42292 (isc.org): query (cache) 'isc.org/ANY/IN' denied
client 192.3.220.210#44893 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44892 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44895 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44896 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 192.3.220.210#44897 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44898 (nhl.msk.su): query (cache) 'nhl.msk.su/ANY/IN' denied
client 192.3.220.210#44900 (freeinfosys.com): query (cache) 'freeinfosys.com/ANY/IN' denied
client 192.3.220.210#44899 (hajjamservices.xyz): query (cache) 'hajjamservices.xyz/ANY/IN' denied
client 179.43.141.194#54367 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
client 204.42.253.2#50856 (9b4f3f9b.openresolvertest.net): query (cache) '9b4f3f9b.openresolvertest.net/A/IN' denied
client 129.174.112.124#42206 (www.gmu.edu): query (cache) 'www.gmu.edu/A/IN' denied
|