How to throttle misconfigured clients?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to throttle misconfigured clients?

von Dein, Thomas
Hello,

we're seeing a lot of malformed dns queries to our recursive nameservers like these:

06:38:32.733678 IP client.59003 > nameserver2.53: 21974+ AAAA? notification. (30)
06:38:32.734079 IP nameserver2.53 > client.59003: 21974 NXDomain 0/1/0 (105)
06:38:33.216732 IP client.59003 > nameserver2.53: 63187+ AAAA? antivirusix. (29)
06:38:33.218090 IP nameserver2.53 > client.59003: 63187 NXDomain 0/1/0 (104)
06:38:35.417973 IP client.59003 > nameserver2.53: 53861+ AAAA? kubeinspect. (29)
06:38:35.418420 IP nameserver2.53 > client.59003: 53861 NXDomain 0/1/0 (104)
06:38:37.729107 IP client.59003 > nameserver2.53: 11185+ AAAA? organization. (30)
06:38:37.729539 IP nameserver2.53 > client.59003: 11185 NXDomain 0/1/0 (105)
06:38:38.158519 IP client.59003 > nameserver2.53: 14657+ AAAA? history. (25)
06:38:38.158897 IP nameserver2.53 > client.59003: 14657 NXDomain 0/1/0 (100)
06:38:38.571983 IP client.59003 > nameserver2.53: 29269+ AAAA? go-kms. (24)
06:38:38.572437 IP nameserver2.53 > client.59003: 29269 NXDomain 0/1/0 (99)

Obviously these clients (there are many) are misconfigured in some weird way. But sometimes they send valid queries. So, what I'd like to do is to throttle them down somehow when they start to send these queries. And I only want to do this for clients in this specific source network, not for all.

The only idea I had so far, was to configure these "zones" as forward zones and add a non-reachable forwarder so that the queries timeout - thus throttling down the clients. But I hope there's a more official or cleaner way to do this.

Is this possible?



Thanks in advance,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: How to throttle misconfigured clients?

Gabriel Fornaeus
You could set a global ratelimit for responses per IP, which is "high enough" for normal use but blocking when they start misbehaving. Just remember to change the size of the netmask used to block, I think the default is a /24 or something.
I don't know what a sane level is for you though. We use 100/second and then blocked for 5 seconds, which seems to work fairly well at keeping load down.


Kind Regards
Gabriel Fornaeus | Systems technician
IT Operations | IP-Only AB | Switchboard: +46188431000 | Direct +46104788241

-----Original Message-----
From: bind-users <[hidden email]> On Behalf Of von Dein, Thomas
Sent: 03 March 2020 13:09
To: [hidden email]
Subject: How to throttle misconfigured clients?

Hello,

we're seeing a lot of malformed dns queries to our recursive nameservers like these:

06:38:32.733678 IP client.59003 > nameserver2.53: 21974+ AAAA? notification. (30)
06:38:32.734079 IP nameserver2.53 > client.59003: 21974 NXDomain 0/1/0 (105)
06:38:33.216732 IP client.59003 > nameserver2.53: 63187+ AAAA? antivirusix. (29)
06:38:33.218090 IP nameserver2.53 > client.59003: 63187 NXDomain 0/1/0 (104)
06:38:35.417973 IP client.59003 > nameserver2.53: 53861+ AAAA? kubeinspect. (29)
06:38:35.418420 IP nameserver2.53 > client.59003: 53861 NXDomain 0/1/0 (104)
06:38:37.729107 IP client.59003 > nameserver2.53: 11185+ AAAA? organization. (30)
06:38:37.729539 IP nameserver2.53 > client.59003: 11185 NXDomain 0/1/0 (105)
06:38:38.158519 IP client.59003 > nameserver2.53: 14657+ AAAA? history. (25)
06:38:38.158897 IP nameserver2.53 > client.59003: 14657 NXDomain 0/1/0 (100)
06:38:38.571983 IP client.59003 > nameserver2.53: 29269+ AAAA? go-kms. (24)
06:38:38.572437 IP nameserver2.53 > client.59003: 29269 NXDomain 0/1/0 (99)

Obviously these clients (there are many) are misconfigured in some weird way. But sometimes they send valid queries. So, what I'd like to do is to throttle them down somehow when they start to send these queries. And I only want to do this for clients in this specific source network, not for all.

The only idea I had so far, was to configure these "zones" as forward zones and add a non-reachable forwarder so that the queries timeout - thus throttling down the clients. But I hope there's a more official or cleaner way to do this.

Is this possible?



Thanks in advance,
Tom
_______________________________________________
Please visit https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&amp;data=02%7C01%7Cgabriel.fornaeus%40ip-only.se%7C086f5ec07f3145e3bb3908d7bf6bcdd8%7C36c980d3ddb24de986d9ecf551d9fde4%7C1%7C0%7C637188342045642498&amp;sdata=iwocX%2BrcgABwMrBjkPnJoVOtZPgVmbYqPnrJROctxUM%3D&amp;reserved=0 to unsubscribe from this list

bind-users mailing list
[hidden email]
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&amp;data=02%7C01%7Cgabriel.fornaeus%40ip-only.se%7C086f5ec07f3145e3bb3908d7bf6bcdd8%7C36c980d3ddb24de986d9ecf551d9fde4%7C1%7C0%7C637188342045642498&amp;sdata=iwocX%2BrcgABwMrBjkPnJoVOtZPgVmbYqPnrJROctxUM%3D&amp;reserved=0
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How to throttle misconfigured clients?

Tony Finch
In reply to this post by von Dein, Thomas
von Dein, Thomas <[hidden email]> wrote:
>
> we're seeing a lot of malformed dns queries to our recursive nameservers
> like these:

[snip queries for notification. / antivirusix. / kubeinspect. /
organization. / history. / go-kms. ]

> Obviously these clients (there are many) are misconfigured in some weird
> way. But sometimes they send valid queries. So, what I'd like to do is
> to throttle them down somehow when they start to send these queries. And
> I only want to do this for clients in this specific source network, not
> for all.

Response rate limiting (RRL) does something roughly like what you want: it
suppresses answers to repeated queries. However it is designed to deal
with abusive traffic with spoofed source addresses, whereas your problem
traffic is legitimate.

https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/Bv9ARM.ch05.html#rrl

You should be extremely wary of rate-limiting non-abuse traffic on a
recursive server, because it can cause some very hard-to-debug problems,
e.g. your queries look vaguely cloud-flavoured which reminds me of
https://www.awsadvent.com/2018/12/07/working-with-aws-limits/

A better approach might be to find the people who aren't configuring their
systems with a default domain name or search path, and gently teach them
the error of their ways :-)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Forties: Cyclonic becoming northwest 5 or 6. Moderate or rough. Wintry
showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users