DNS Attack - DNS Policy problems with disabling forward for External Clients
Situation:
- I have few DNS Servers with real IP and single interface
Problem:
- since 5 days I receive 20-30 000 sessions per second to my DNS servers to resolve all imaginable and unimaginable dns query from million's of IP, there is a heavy DNS Attack
Solution:
- after I read everything on internet about DNS Policy I conclude this should represent my solution but in the end is NOT WORKING.
- I'm looking a WORKING DNS Policy commands who fit my vision
DNS Policy Desired:
- define subnets of internal clients
- creating a policy for resolving all Internal Clients Requests
- creating another policy for Stopping Recursion for the requests comings from External Internet
To avoid any misunderstanding I will present here what commands I run and the result I got
Create the Subnets
Add-DnsServerClientSubnet -Name "IP-01" -IPv4Subnet xx.xx.xx.xx/24
Add-DnsServerClientSubnet -Name "IP-02" -IPv4Subnet yy.yy.yy.yy/20
Add-DnsServerClientSubnet -Name "IP-03" -IPv4Subnet zz.zz.zz.zz/22
Add-DnsServerClientSubnet -Name "IP-04" -IPv4Subnet hh.hh.hh.hh/26
Add-DnsServerClientSubnet -Name "IP-ALL" -IPv4Subnet 0.0.0.0/0
(Refference cli)
View the Client Subnet: Get-DnsServerClientSubnet
Remove a Client Subnet: Remove-DnsServerClientSubnet -Name "IP-01"
Create the Scope - Disable Recursion for External DNS Clients
Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "IP-01" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-02" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-03" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-04" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-ALL" -EnableRecursion $False
(Refference cli)
View the Scope: Get-DnsServerRecursionScope
Remove a Scope: Remove-DnsServerRecursionScope -Name "IP-01"
! If you remove all scopes you have to: Set-DnsServerRecursionScope -Name . -EnableRecursion $True
Create the Policies - DNS2
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-01" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-01" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-02" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-02" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-03" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-03" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-04" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-04" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "StopForward" -Action IGNORE -ClientSubnet "EQ,IP-ALL" -PassThru | Format-List *
(Refference cli)
View the Server Policy: Get-DnsServerQueryResolutionPolicy
Remove a Server Policy: Remove-DnsServerQueryResolutionPolicy -Name "DNS-Policy-01"
The Result of this commands is this Policy Order:
Get-DnsServerQueryResolutionPolicy
Name ProcessingOrder IsEnabled Action
StopForward 1 True Ignore
DNS-Policy-01 1 True Allow
DNS-Policy-02 2 True Allow
DNS-Policy-03 3 True Allow
DNS-Policy-04 4 True Allow
Right noiw there is 2 problems:
- Based on Processing Order the DNS Server should not process ANY request because StopForward is referring to the subnet defining ALL IPv4 space .... but the DNS works with no problems !!!
- I try to find CLI for setup processing order 5 for StopForward rule but I was not able to find how.
Please advice how I can achieve:
- To allow Internal Clients to use DNS as normal (and in the same time,,,)
- Requests comings from internet to be resolved ONLY if they are asking about resources (zones) already on the server and TRULLY DISABLE Recursion for this External requests.
It is possible that DNS Policy do not have yet a strong vision of hierarchy like a Firewall but if there is someone who can help me please do it.
More info:
- in front of DNS servers i have a Firewall, and I setup a rule with DNS Filter with Static Domain with the purpose to allow only dns requests about that domains to reach the server .. but .. guess what .. this is not working either :) I already create them a ticket about DNS Filtering issue :)