?
Solved

DNS rebinding attack

Posted on 2014-02-14
5
Medium Priority
?
874 Views
1 Endorsement
Last Modified: 2014-02-15
I am getting a lot of alerts in the Sonic Wall 205 with 'DNS rebinding attack' logs.  It appears to be inbound from the Comcast dns servers.  

The dns setting is to set to log attack only and I tried changing it to log and drop but after several days, it caused dns to not resolve at all.  I changed it.  I think this is causing a performance issue with our internet circuit.  We have a 100MB circuit but the speedtest.net shows only 27MB at times.

I also tried switching it to a openDNS (208.67.222.222) and that didn't seem to help.

Just wondering how I can go about resolving this.
1
Comment
Question by:LateNaite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Gregory Miller
ID: 39860507
Drop all inbound port 53 requests on the outside interface. This will at least relieve the firewall from having to process the packet and thus might improve performance. No way to prevent the traffic from coming to you but if there is no service responding, they might go away because it is a waste of time to keep hitting your link.
0
 

Author Comment

by:LateNaite
ID: 39860600
Would the source port be udp 53 or destination be udp 53?
0
 

Author Comment

by:LateNaite
ID: 39860603
What about dns replies to users issuing a dns query?  Would those traffic be blocked too?
0
 
LVL 11

Accepted Solution

by:
Gregory Miller earned 1000 total points
ID: 39861311
Replies to a request originating from your router/firewall should not be blocked. Your router/firewall configuration may require tweaking to avoid this problem but generally it should not block them. The only thing that should be blocked is traffic not originating from your LAN on port 53.

The DST port is 53. The source port will most always be random...
0
 

Author Comment

by:LateNaite
ID: 39862276
Main performance issue was related to ISP.
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question