search

Freekers / ansible-adguard

Ansible playbook to setup AdGuard Home with Unbound, including DoH, DoT & Let's Encrypt, based on Docker
GNU Affero General Public License v3.0
89 stars 20 forks source link

block DNS Amplification Attack by iptables #2

Closed bruvv closed 4 years ago

bruvv commented 4 years ago

When having a public DNS server it's important to have it setup relative save. That can be done with 3 easy iptable commands:

iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery 
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery 
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP

More info from your website ;) https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/

Freekers commented 4 years ago

Adguard has two built-in features to protect against DNS amplification attacks:

  1. Rate limiting; the number of requests per second that a single client is allowed to make.
  2. Option to ignore ANY queries, which is enabled by default. ANY queries are on the verge of being deprecated, because they are rarely used in real world scenarios yet quite resource heavy (see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/)

Because of this, I've chosen not to include the iptables commands, as the above does more or less the same and is easier to configure.