Paula Wong
asked on
DNS rebinding attack
I am getting a lot of alerts in the Sonic Wall 205 with 'DNS rebinding attack' logs. It appears to be inbound from the Comcast dns servers.
The dns setting is to set to log attack only and I tried changing it to log and drop but after several days, it caused dns to not resolve at all. I changed it. I think this is causing a performance issue with our internet circuit. We have a 100MB circuit but the speedtest.net shows only 27MB at times.
I also tried switching it to a openDNS (208.67.222.222) and that didn't seem to help.
Just wondering how I can go about resolving this.
The dns setting is to set to log attack only and I tried changing it to log and drop but after several days, it caused dns to not resolve at all. I changed it. I think this is causing a performance issue with our internet circuit. We have a 100MB circuit but the speedtest.net shows only 27MB at times.
I also tried switching it to a openDNS (208.67.222.222) and that didn't seem to help.
Just wondering how I can go about resolving this.
Drop all inbound port 53 requests on the outside interface. This will at least relieve the firewall from having to process the packet and thus might improve performance. No way to prevent the traffic from coming to you but if there is no service responding, they might go away because it is a waste of time to keep hitting your link.
ASKER
Would the source port be udp 53 or destination be udp 53?
ASKER
What about dns replies to users issuing a dns query? Would those traffic be blocked too?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Main performance issue was related to ISP.