Page 1 of 1
DNS Flood
Posted: Fri Dec 07, 2018 6:47 pm
by Jefte
Hello my dear, I have a client generating a lot of DNS traffic over the network, I would like to know a smart way to solve this problem, I looked at some mangrove rules, but I would like something that caught only the clients that generate this unnecessary traffic and perhaps puts them on a blacklist or redirects them.
Re: DNS Flood
Posted: Fri Dec 07, 2018 8:47 pm
by R1CH
This looks like normal traffic, DNS resolvers use a new socket for every resolution as an added protection against DNS spoofing. I would not consider 28kbps a "flood".
Re: DNS Flood
Posted: Fri Dec 07, 2018 9:54 pm
by Jefte
This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS
Re: DNS Flood
Posted: Fri Dec 07, 2018 10:27 pm
by sebastia
Hi
You could rate limit access to dns /ip basis. can be done in firewall
Ex:
add action=accept chain=prerouting comment="Accept: dns < limit" dst-limit=10,20,src-address/1m protocol=udp ...
add action=drop chain=prerouting comment="Drop: dns" protocol=udp ...
Re: DNS Flood
Posted: Fri Dec 07, 2018 11:37 pm
by R1CH
This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS
That's still well within the realm of normal traffic. The user could have a bittorrent client open for example that is doing reverse lookups on connecting IPs. You should always be careful with setting limits as not every user is the same and one person's outlier is another's normal traffic.
Obviously if you've determined the CPE is hacked then the discussion about DNS is moot, you should wipe and reinstall the CPE
.
Re: DNS Flood
Posted: Thu Dec 20, 2018 1:36 pm
by Jefte
Well, I created the following rule, and so far it's helping me by putting the IP address on a temporary blacklist.
/ip firewall mangle add chain=postrouting protocol=udp dst-port=53 connection-limit=500,32 address-list-timeout=60m action=add-src-to-address-list address-list="DNS_FLOOD" comment="DNS_FLOOD_MANGLE"
Re: DNS Flood
Posted: Mon Jan 04, 2021 9:41 pm
by bazanga
small bump
Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.
Is this normal ? Im not allowing remote requests btw
Screenshot_2021-01-04 Pi-hole - pihole-ubuntu.png
EDIT: Solved
Re: DNS Flood
Posted: Tue Feb 16, 2021 3:37 am
by Lebzul
small bump
Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.
Is this normal ? Im not allowing remote requests btw
Screenshot_2021-01-04 Pi-hole - pihole-ubuntu.png
EDIT: Solved
How did you solve it?
Re: DNS Flood
Posted: Wed Feb 17, 2021 7:13 pm
by 16again
I would look at those dns requests in a sniffer , to see what is going on.