DNS Flood
Hello my dear, I have a client generating a lot of DNS traffic over the network, I would like to know a smart way to solve this problem, I looked at some mangrove rules, but I would like something that caught only the clients that generate this unnecessary traffic and perhaps puts them on a blacklist or redirects them.
You do not have the required permissions to view the files attached to this post.
Re: DNS Flood
This looks like normal traffic, DNS resolvers use a new socket for every resolution as an added protection against DNS spoofing. I would not consider 28kbps a "flood".
Re: DNS Flood
This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS
Re: DNS Flood
Hi
You could rate limit access to dns /ip basis. can be done in firewall
Ex:
You could rate limit access to dns /ip basis. can be done in firewall
Ex:
Code: Select all
add action=accept chain=prerouting comment="Accept: dns < limit" dst-limit=10,20,src-address/1m protocol=udp ...
add action=drop chain=prerouting comment="Drop: dns" protocol=udp ...
Re: DNS Flood
That's still well within the realm of normal traffic. The user could have a bittorrent client open for example that is doing reverse lookups on connecting IPs. You should always be careful with setting limits as not every user is the same and one person's outlier is another's normal traffic.This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS
Obviously if you've determined the CPE is hacked then the discussion about DNS is moot, you should wipe and reinstall the CPE
.Re: DNS Flood
Well, I created the following rule, and so far it's helping me by putting the IP address on a temporary blacklist.
Code: Select all
/ip firewall mangle add chain=postrouting protocol=udp dst-port=53 connection-limit=500,32 address-list-timeout=60m action=add-src-to-address-list address-list="DNS_FLOOD" comment="DNS_FLOOD_MANGLE"Re: DNS Flood
small bump
Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.
Is this normal ? Im not allowing remote requests btw
EDIT: Solved
Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.
Is this normal ? Im not allowing remote requests btw
EDIT: Solved
You do not have the required permissions to view the files attached to this post.
Re: DNS Flood
How did you solve it?small bump
Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.
Is this normal ? Im not allowing remote requests btw
Screenshot_2021-01-04 Pi-hole - pihole-ubuntu.png
EDIT: Solved
Re: DNS Flood
I would look at those dns requests in a sniffer , to see what is going on.
Who is online
Users browsing this forum: almdandi, StupidProgrammer and 48 guests