hotspot and open recursive DNS attacks

We have several hotspot deployments and have ran into a problem where they are being used as an Open Resolver in DNS slow drip DDoS attacks. We have tried to mitigate it by dropping input packets destined for UDP and TCP port 53, however this seems to effect our clients.

The reason this is impacting us is because we also use OpenDNS and Google DNS, this causes our IP’s to be rate limited and queries no longer being replied to. I have offloaded the client DNS traffic by setting NAT rules 2 and 3 to hotspot=!auth however there still seems to be a problem.

I’m looking for any suggestions from anyone who may have ran into this kind of problem.

As the attack comes from your internal network, dropping or rate-limiting isn’t a fix… as you said it will impact normal users.

Have you analyzed the queries? Mikrotik DNS (see http://wiki.mikrotik.com/wiki/Manual:IP/DNS#Static_DNS_Entries ) has a feature to use regular expressions, that could be used to set dummy entries for those “dummy” queries; it will depend on your attack specifics.

Are you running a DNS cache? I’d make it large enough to offload external queries as much as possible.