DNS server

DNS servers is one of the most common target for DDoS attacks. A DNS server may undergo a DDoS attack itself or be a reflection proxy to attack another server. You can use Tempesta xFW configuration as the below to protect your DNS server in both these cases.

This configuration assumes Tempesta xFW running in gate mode and protecting a DNS server with 8.8.8.8 IPv4 address.

In gate mode you typically need two network interfaces and configuration like:

# cat /etc/tempesta/xfw.conf
{
    "devices": "ens3 ens4",
    "devices-mode": "native"
}

You can store the configuration in /etc/tempesta/xfw-dns-rules.conf and load it with:

/opt/tempesta/bin/tfw push --conf /etc/tempesta/xfw-dns-rules.conf

The rules configuration for this case may look like:

xfw {
        tcp_anomaly_filter;

        dns_filter;

        ratelimit=tcp_flood_rl pps=1000 bps=10000000;
        tcp_flags syn : ratelimit=tcp_flood_rl;
        tcp_flags rst : ratelimit=tcp_flood_rl;

        ratelimit=dns_auth_ammpl_rl pps=100 bps=1000000;
        src=dns_auth_ammpl ip4.udp : ratelimit=dns_auth_ammpl_rl {
                :53
        }

        ratelimit=dns_clnt_rl pps=10 bps=10000;
        dst=dns4 ip4.udp : ratelimit=dns_clnt_rl {
                8.8.8.8:53
        }

        ratelimit=ssh_rl pps=500 bps=50000;
        dst=ssh ip4.tcp : ratelimit=ssh_rl {
                192.168.100.4:22
        }

        ratelimit=icmp_rl pps=10 bps=1000;
        icmp ip4 : ratelimit=icmp_rl { 0, 3, 8, 11, 12 }
        icmp ip6 : ratelimit=icmp_rl { 1, 2, 3, 4, 128, 129, 133, 134, 135, 136, 137, 143 }

        defaults {
                dst: allow;
                src_ip: allow;
                src_port: allow;
                icmp ip4: block;
                icmp ip6: block;
        }
}

Lines 2, 20-23 and 25-27 use the same TCP, SSH and ICMP rules as the Web server use case.

dns_filter in line 4 enables DNS anomaly filter.

However, in gate mode SYN Cookies are not applicable, so in lines 6-8 we use rate limits for TCP SYN and RST.

Lines 10-13 rate limit traffic with source port 53. A recursive DNS server queries other DNS servers and receives responses with source port 53, but large volumes of traffic with the source port 53 mean DNS amplification attack and this rule protects a server from this attack.

Next rule in lines 15-18 limits how many packets (DNS queries) and bytes per second from a single client Tempesta xFW may forward to the protected DNS server.

defaults section in lines 29-35 is almost the same as for the Web server with only addition of default allow policies for source IP and port rules. We need this addition since we have src section in the configuration.