DNS on server 2008 R2 DDOS attack

Hi.  I have a DNS server that's being exploited by DDOS.  On this DNS server I host DNS records for about 300 or so of my clients.  My ISP asked me if the server needed to be public and I said yes, however I think I'm wrong about that.  No one needs to query the server from the outside (wan) as in using the public IP to resolve DNS however, I still the records on the server to spread publicly.  I hope I can explaining this properly as DNS is not my forte but I am learning.
hmcnastyAsked:
Who is Participating?
 
TMekeelConnect With a Mentor Commented:
Check to see if your servers are open resolvers:
http://openresolverproject.org/

Also, read this from the IETF:
http://tools.ietf.org/html/bcp38

That should help your shore up your defenses.


Edit--This link is also in the first link I gave for the openresolver test, but important:
http://www.redbarn.org/dns/ratelimits
0
 
TMekeelCommented:
You have the hostname for yourserverdns.yournetwork.com pointed to your firewall, and then nat/pat port 53 to your internal IP of the DNS server, or your server is in the DMZ and is being exploited outside of just DNS?  
They are querying DNS to bring it down or some other means is what I'm asking.
0
 
hmcnastyAuthor Commented:
We have a hostname for yourserverdns.yournetwork.com pointed to our firewall, and then nat/pat port 53 to your internal IP of the DNS server.  

The way it was explained to me is that someone somewhere is spoofing our DNS server and making it send out DNS requests to other DNS servers I think its also called a denial-of-service attack (DoS attack)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
TMekeelCommented:
https://www.grc.com/dns/dns.htm

GRC has other tools available.
0
 
TMekeelCommented:
There is also this technet for turning off any unneeded services.
http://technet.microsoft.com/en-us/library/cc526450.aspx

I'm not trying to just point you at links, but hosting your own dns isnt easy these days.
0
 
TMekeelCommented:
Here is another article, more in depth and links to Microsoft's guides to hardening DNS against attacks.  I realize they are for server 2003, but the ideas are still relevant (and most of the commands.)  If you are learning DNS, this is a good start.

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
0
 
TMekeelCommented:
Also, can you look at your firewall and see if the attacks are coming from only a few static addresses on UDP 53?

If so, block them so that at least the attacks slow down while you research options to harden your servers.
0
 
hmcnastyAuthor Commented:
Is there anything in the packets that can tip me off as to whether or not is an attack?

there are quite a few IPs showing up incoming on 53.  How much traffic is "normal"?
0
 
hmcnastyAuthor Commented:
Hi.  We ended up moving all our DNS to our F5 unit and that solved the problem.  There seems to be more vulnerabilities using windows for DNS.  We were able to identify the bad packets coming in but were unable to write a custom signature in our firewall to stop them. I'm going to award the points to TMekeel because his comments really helped me/us figure out what was going on during the attack, not to mention the insight into windows DNS

Thanks,

Wes
0
 
hmcnastyAuthor Commented:
Thanks TMekeel for sticking with this and I apologize for not getting back to you sooner.

Wes
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.