Hi,
Thought I would share this with the community. I ended up writing a IPS rule to detect others trying to use our Windows DNS Servers as open resolvers and causing a DDoS against others DNS servers. The rule I wrote detects more than 5 recursive queries per minute and then quarantines the src IP address for a period of time. Hopefully someone else might also find this useful, or be able to adapt it further.
Rather than repost everything again, the link to the article is here http://cwispy.com/ips-rule-to-block-dns-recursion/
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
thanks for posting your custom IPS rule, sadly there are not many published on the forums.
What bites me it that if you have a FGT in front of your Windows DNS, why don't you control access (or block it altogether) from WAN to it via the policy? I guess it still is an open resolver...
Hi,
We can not deny access to the servers entirely as they are authorative servers for some domain names. What we need to do is implement a couple of resolvers for the Windows network and then turn off recursion on the authoritative servers which will fix the issue. But until then, this solution has been working very well.
crispy
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.