Forum Discussion
DNS Attack - DNS Policy problems with disabling forward for External Clients
Situation:
I have few DNS Servers with real IP and single interface (Windows Server 2022)
Problem:
since 25 days I receive 20-30 000 sessions per second to my DNS servers to resolve all imaginable and unimaginable dns query from million's of IP, there is a heavy DNS Attack
Solution:
after I read everything on internet about DNS Policy I conclude this should represent my solution but in the end is NOT WORKING.
I'm looking a WORKING DNS Policy commands who fit my vision
DNS Policy Desired:
define subnets of internal clients
creating a policy for resolving all Internal Clients Requests
creating another policy for Stopping Recursion for the requests comings from External Internet
To avoid any misunderstanding I will present here what commands I run and the result I got:
Create the Subnets
Add-DnsServerClientSubnet -Name "IP-01" -IPv4Subnet xx.xx.xx.xx/24
Add-DnsServerClientSubnet -Name "IP-02" -IPv4Subnet yy.yy.yy.yy/20
Add-DnsServerClientSubnet -Name "IP-03" -IPv4Subnet zz.zz.zz.zz/22
Add-DnsServerClientSubnet -Name "IP-04" -IPv4Subnet hh.hh.hh.hh/26
Add-DnsServerClientSubnet -Name "IP-ALL" -IPv4Subnet 0.0.0.0/0
(Refference cli)
#View the Client Subnet: Get-DnsServerClientSubnet
#Remove a Client Subnet: Remove-DnsServerClientSubnet -Name "IP-01"
Create the Scope - Disable Recursion for External DNS Clients
Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "IP-01" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-02" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-03" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-04" -EnableRecursion $True
Add-DnsServerRecursionScope -Name "IP-ALL" -EnableRecursion $False
(Refference cli)
#View the Scope: Get-DnsServerRecursionScope
#Remove a Scope: Remove-DnsServerRecursionScope -Name "IP-01"
#! If you remove all scopes you have to: Set-DnsServerRecursionScope -Name . -EnableRecursion $True
Create the Policies - DNS2
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-01" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-01" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-02" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-02" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-03" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-03" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "DNS-Policy-04" -Action ALLOW -ApplyOnRecursion -RecursionScope "IP-04" -ServerInterfaceIP "EQ,ii.ii.ii.ii"
Add-DnsServerQueryResolutionPolicy -Name "StopForward" -Action IGNORE -ClientSubnet "EQ,IP-ALL" -PassThru | Format-List *
(Refference cli)
#View the Server Policy: Get-DnsServerQueryResolutionPolicy
#Remove a Server Policy: Remove-DnsServerQueryResolutionPolicy -Name "DNS-Policy-01"
The Result of this commands is this Policy Order:
Get-DnsServerQueryResolutionPolicy
Name ProcessingOrder IsEnabled Action
StopForward 1 True Ignore
DNS-Policy-01 1 True Allow
DNS-Policy-02 2 True Allow
DNS-Policy-03 3 True Allow
DNS-Policy-04 4 True Allow
Right now there is 2 problems:
Based on Processing Order the DNS Server should not process ANY request because StopForward is referring to the subnet defining ALL IPv4 space .... but the DNS works with no problems !!!
I try to find CLI for setup processing order 5 for StopForward rule but I was not able to find how.
Please advice how I can achieve:
To allow Internal Clients to use DNS as normal (and in the same time....)
Requests comings from internet to be resolved ONLY if they are asking about resources (zones) already on the server and TRULLY DISABLE Recursion for this External requests.
It is possible that DNS Policy do not have yet a strong vision of hierarchy like a Firewall but if there is someone who can help me please do it.
More info:
in front of DNS servers i have a Firewall, and I setup a rule with DNS Filter with Static Domain with the purpose to allow only dns requests about that domains to reach the server .. but .. guess what .. this is not working either 🙂 I already create them a ticket about DNS Filtering issue 🙂
I even create a similar ticket on Microsoft Website but ... no one view .. no one answer .. probably because no one care.
- Finally, I solve the problem at Firewall level by setup correctly the DNS Filter with Static Domains List and with a Command Line who teach Firewall to provide NO ANSWER if the request is done for other domains than Static Domain List. Default value of the Command Line it was "Redirect" who means that Firewall resolve the query from a nslookup done by own behalf, not provide actual reply form the DNS server. Now when External users are performing example: nslookup http://www.microsoft.com it got an error in return and only Local Hosted Domains are resolved.
I still have no solution for this particular case for Microsoft DNS Policy. May be some day Microsoft DNS Policy will grow up and will become "MAN" sometime 🙂
1 Reply
- Finally, I solve the problem at Firewall level by setup correctly the DNS Filter with Static Domains List and with a Command Line who teach Firewall to provide NO ANSWER if the request is done for other domains than Static Domain List. Default value of the Command Line it was "Redirect" who means that Firewall resolve the query from a nslookup done by own behalf, not provide actual reply form the DNS server. Now when External users are performing example: nslookup http://www.microsoft.com it got an error in return and only Local Hosted Domains are resolved.
I still have no solution for this particular case for Microsoft DNS Policy. May be some day Microsoft DNS Policy will grow up and will become "MAN" sometime 🙂