DNS Flood

Jefte · December 7, 2018, 4:47pm

Hello my dear, I have a client generating a lot of DNS traffic over the network, I would like to know a smart way to solve this problem, I looked at some mangrove rules, but I would like something that caught only the clients that generate this unnecessary traffic and perhaps puts them on a blacklist or redirects them.

R1CH · December 7, 2018, 6:47pm

This looks like normal traffic, DNS resolvers use a new socket for every resolution as an added protection against DNS spoofing. I would not consider 28kbps a “flood”.

Jefte · December 7, 2018, 7:54pm

This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was “hacked”. But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS

sebastia · December 7, 2018, 8:27pm

Hi

You could rate limit access to dns /ip basis. can be done in firewall

Ex:

add action=accept chain=prerouting comment="Accept: dns < limit" dst-limit=10,20,src-address/1m protocol=udp ...
add action=drop chain=prerouting comment="Drop: dns" protocol=udp ...

R1CH · December 7, 2018, 9:37pm

That’s still well within the realm of normal traffic. The user could have a bittorrent client open for example that is doing reverse lookups on connecting IPs. You should always be careful with setting limits as not every user is the same and one person’s outlier is another’s normal traffic.

Obviously if you’ve determined the CPE is hacked then the discussion about DNS is moot, you should wipe and reinstall the CPE .

Jefte · December 20, 2018, 11:36am

Well, I created the following rule, and so far it’s helping me by putting the IP address on a temporary blacklist.

/ip firewall mangle add chain=postrouting protocol=udp dst-port=53 connection-limit=500,32 address-list-timeout=60m action=add-src-to-address-list address-list="DNS_FLOOD" comment="DNS_FLOOD_MANGLE"

bazanga · January 4, 2021, 7:41pm

small bump

Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.

Is this normal ? Im not allowing remote requests btw
Screenshot_2021-01-04 Pi-hole - pihole-ubuntu.png
EDIT: Solved

Lebzul · February 16, 2021, 1:37am

How did you solve it?

16again · February 17, 2021, 5:13pm

I would look at those dns requests in a sniffer , to see what is going on.