Solved

DNS rebinding attack

Posted on 2014-02-14
5
784 Views
1 Endorsement
Last Modified: 2014-02-15
I am getting a lot of alerts in the Sonic Wall 205 with 'DNS rebinding attack' logs.  It appears to be inbound from the Comcast dns servers.  

The dns setting is to set to log attack only and I tried changing it to log and drop but after several days, it caused dns to not resolve at all.  I changed it.  I think this is causing a performance issue with our internet circuit.  We have a 100MB circuit but the speedtest.net shows only 27MB at times.

I also tried switching it to a openDNS (208.67.222.222) and that didn't seem to help.

Just wondering how I can go about resolving this.
1
Comment
Question by:LateNaite
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Gregory Miller
ID: 39860507
Drop all inbound port 53 requests on the outside interface. This will at least relieve the firewall from having to process the packet and thus might improve performance. No way to prevent the traffic from coming to you but if there is no service responding, they might go away because it is a waste of time to keep hitting your link.
0
 

Author Comment

by:LateNaite
ID: 39860600
Would the source port be udp 53 or destination be udp 53?
0
 

Author Comment

by:LateNaite
ID: 39860603
What about dns replies to users issuing a dns query?  Would those traffic be blocked too?
0
 
LVL 11

Accepted Solution

by:
Gregory Miller earned 500 total points
ID: 39861311
Replies to a request originating from your router/firewall should not be blocked. Your router/firewall configuration may require tweaking to avoid this problem but generally it should not block them. The only thing that should be blocked is traffic not originating from your LAN on port 53.

The DST port is 53. The source port will most always be random...
0
 

Author Comment

by:LateNaite
ID: 39862276
Main performance issue was related to ISP.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question