Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
crispy
New Contributor

IPS Rule to detect and block DNS Recursion

Hi,

 

 Thought I would share this with the community. I ended up writing a IPS rule to detect others trying to use our Windows DNS Servers as open resolvers and causing a DDoS against others DNS servers. The rule I wrote detects more than 5 recursive queries per minute and then quarantines the src IP address for a period of time. Hopefully someone else might also find this useful, or be able to adapt it further.

 

Rather than repost everything again, the link to the article is here http://cwispy.com/ips-rule-to-block-dns-recursion/

http://www.2000cn.com.au
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

hi,

 

thanks for posting your custom IPS rule, sadly there are not many published on the forums.

What bites me it that if you have a FGT in front of your Windows DNS, why don't you control access (or block it altogether) from WAN to it via the policy? I guess it still is an open resolver...

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
crispy

Hi,

 

 We can not deny access to the servers entirely as they are authorative servers for some domain names. What we need to do is implement a couple of resolvers for the Windows network and then turn off recursion on the authoritative servers which will fix the issue. But until then, this solution has been working very well.

 

crispy

http://www.2000cn.com.au
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors