Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManoelMartins
Staff
Staff

Created on ‎02-29-2024 08:54 AM

Article Id 302180

Technical Tip: Protect internal DNS from external DNS attack

Description

This article describes a way to block external DNS queries to an internal DNS server when it is exposed to the internet.
Scope

 FortiGate.
Solution

The following setup is used in this example:

 

FortiGate interfaces:

Port2 (WAN) - 192.168.1.0/24

Port3 (DMZ) - 192.168.20.0/24

Port4 (LAN) - 192.168.16.0/24

DNS: 192.168.20.10

Authoritative for domain1.local (accessible from inside and outside queries)

Recursive for internal network (only for inside queries)

 

Topology:

 

Diagram.png

 

 

For this solution, the following policies are in place for traffic:

  • DMZ to internet: For this specific demand, it is possible to have a policy to allow only the DNS traffic (UDP 53) which permits the Recursive DNS to forward the queries to the forwarder.
  • LAN to DNS: Permit internal DNS queries to a DNS Server with UDP port 53.
  • LAN to internet: If users are not allowed to use another DNS Server for the stations, allow only the protocols needed, such as HTTP, HTTPS, and FTP. Exclude the DNS on the Service list.
  • WAN to DMZ (DNS): This is where the DNS filter should be set up to allow only the DNS queries for the local domain where the DNS server is the authoritaty.

 

Configuration:

 

The WAN to DMZ policy:

 

  1. DNS Server address (192.168.20.10).
  2. Service (DNS, UDP port 53).
  3. DNS Filter.
  4. There is no need for inspection in this case.

Policy wan-dmz.jpg

 

config firewall policy

edit 4

set name "WAN-DMZ"
set uuid f3da170a-d68a-51ee-1539-7e8a1ff086a3
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "sub_192.168.20.0"
set schedule "always"
set service "DNS"
set utm-status enable
set dnsfilter-profile "Block-attack"
set logtraffic all

next

end

 

The DNS Filter:

 

  1. Enable this option to cover more kinds of attacks (DDNS).
  2. Change all Actions to 'Redirect to Block Portal'.
  3. Allow only the Authoritative domain.

Here, take the most important action to break DNS attacks: create an wildcard *.* with the option to 'Redirect to Block Portal'. Here, there is an option that is not shown in the GUI that must be changed. See below:

 

DNS Filter.jpg

 

The code:

 

config dnsfilter profile

edit "Block-attack"

config domain-filter

set domain-filter-table 1

end

config ftgd-dns

config filters

edit 1

set category 1
set action block
...

edit 91

set action block

next

end

end

set block-action block-sevrfail <- It is critical to change this.
set block-botnet enable

next

end

 

If the block-action is not changed from 'redirect' to 'block-servfail', the attacker will receive the answer from the FortiGate (the IP of the Fortinet SDNS portal), and will continue the attack. But if this action is changed to block-servfail, the attacker will receive an error and will likely stop due to understanding that no DNS server will respond.

 

Conclusion

 

This is one method to prevent this type of attack. It is recommended to use it in combination with other methods and strategies.
Labels:
1645
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.