DNS Attack - DNS Policy problems with disabling forward for External Clients

Bogdan Florin 1 Reputation point
2023-12-31T21:08:03.07+00:00

Situation:

  • I have few DNS Servers with real IP and single interface

Problem:

  • since 5 days I receive 20-30 000 sessions per second to my DNS servers to resolve all imaginable and unimaginable dns query from million's of IP, there is a heavy DNS Attack

Solution:

  • after I read everything on internet about DNS Policy I conclude this should represent my solution but in the end is NOT WORKING.
  • I'm looking a WORKING DNS Policy commands who fit my vision

DNS Policy Desired:

  • define subnets of internal clients
  • creating a policy for resolving all Internal Clients Requests
  • creating another policy for Stopping Recursion for the requests comings from External Internet

To avoid any misunderstanding I will present here what commands I run and the result I got


Create the Subnets

Add-DnsServerClientSubnet -Name "IP-01" -IPv4Subnet xx.xx.xx.xx/24
Add-DnsServerClientSubnet -Name "IP-02" -IPv4Subnet yy.yy.yy.yy/20
Add-DnsServerClientSubnet -Name "IP-03" -IPv4Subnet zz.zz.zz.zz/22
Add-DnsServerClientSubnet -Name "IP-04" -IPv4Subnet hh.hh.hh.hh/26
Add-DnsServerClientSubnet -Name "IP-ALL" -IPv4Subnet 0.0.0.0/0


(Refference cli)

View the Client Subnet: Get-DnsServerClientSubnet
Remove a Client Subnet: Remove-DnsServerClientSubnet -Name "IP-01"


Create the Scope - Disable Recursion for External DNS Clients
Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "IP-01" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-02" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-03" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-04" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-ALL" -EnableRecursion $False


(Refference cli)

View the Scope: Get-DnsServerRecursionScope
Remove a Scope: Remove-DnsServerRecursionScope -Name "IP-01"
! If you remove all scopes you have to: Set-DnsServerRecursionScope -Name . -EnableRecursion $True


Create the Policies - DNS2

Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-01" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-01" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-02" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-02" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-03" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-03" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-04" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-04" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "StopForward" -Action IGNORE -ClientSubnet "EQ,IP-ALL" -PassThru | Format-List *


(Refference cli)

View the Server Policy: Get-DnsServerQueryResolutionPolicy
Remove a Server Policy: Remove-DnsServerQueryResolutionPolicy -Name "DNS-Policy-01"

The Result of this commands is this Policy Order:
Get-DnsServerQueryResolutionPolicy

Name ProcessingOrder IsEnabled Action


StopForward 1 True Ignore
DNS-Policy-01 1 True Allow
DNS-Policy-02 2 True Allow
DNS-Policy-03 3 True Allow
DNS-Policy-04 4 True Allow

Right noiw there is 2 problems:

  1. Based on Processing Order the DNS Server should not process ANY request because StopForward is referring to the subnet defining ALL IPv4 space .... but the DNS works with no problems !!!
  2. I try to find CLI for setup processing order 5 for StopForward rule but I was not able to find how.

Please advice how I can achieve:

  1. To allow Internal Clients to use DNS as normal (and in the same time,,,)
  2. Requests comings from internet to be resolved ONLY if they are asking about resources (zones) already on the server and TRULLY DISABLE Recursion for this External requests.

It is possible that DNS Policy do not have yet a strong vision of hierarchy like a Firewall but if there is someone who can help me please do it.

More info:

  • in front of DNS servers i have a Firewall, and I setup a rule with DNS Filter with Static Domain with the purpose to allow only dns requests about that domains to reach the server .. but .. guess what .. this is not working either :) I already create them a ticket about DNS Filtering issue :)
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,545 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
804 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,881 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.