search

joohoi / acme-dns

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
MIT License
2.17k stars 233 forks source link

Disable DNS server after API inactivity #250

Open nescafe2002 opened 3 years ago

nescafe2002 commented 3 years ago

Since my IP got hammered a lot with invalid DNS requests:

Standard query ANY <Root> OPT
Standard query ANY <Root> OPT
(...)
Standard query ANY <Root> OPT

As ACME DNS is relevant during certificate only, I have configured my router to enable forwarding only on renewals:

(MikroTik rsc)

# Port forward api endpoint (443)
/ip firewall nat
add action=dst-nat chain=nat-public dst-port=443 protocol=tcp to-addresses=192.168.1.50

# Add dst-address (router ip) to address list when api endpoint is addressed (tls host auth.mydomain.tld)
/ip firewall mangle
add action=add-dst-to-address-list address-list=acme-dns address-list-timeout=15m chain=prerouting \
    dst-address-type=local dst-port=443 protocol=tcp tls-host=auth.mydomain.tld

# Port forward dns (53) only if api endpoint has been addressed in the previous 15 minutes
/ip firewall nat
add action=dst-nat chain=dst-nat dst-address-list=acme-dns dst-port=53 protocol=udp to-addresses=192.168.1.50

This works perfectly and the amount of bogus DNS requests to my ip has dropped significantly.

However, this poses a slight problem; if the requesting server has ipv6 access only and LE is using the ipv4 endpoint to verify DNS; i cannot address ipv4 address lists from the ipv6 firewall. Therefore I'd like to drop this here as a feature request:

Is there a way to enable the built in dns server only for a specified time after the /update endpoint has been addressed?

nescafe2002 commented 3 years ago

Well, problem is that this (tls host based) port knocking solution blocks acme-dns functionality if the api is exposed through the NS delegated domain as in the default setup.

E.g. api endpoint https://auth.example.org ACME-dns entry {GUID}.auth.example.org

File config.cfg:

records = [
    # domain pointing to the public IP of your acme-dns server
    "auth.example.org. A 192.0.2.1",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "auth.example.org. NS auth.example.org.",
]

I have removed the configuration from my router and replaced it with a simple "no answer = no response" rule:

https://github.com/nescafe2002/acme-dns/commit/bfd0389aa7db7fa2702940f2d7cfc9590fac5f5e

Is there any info on how acme-dns contributes to DNS (amplification) attacks based on bogus (spoofed) requests?