When configuring LF_BIND for detection of repeated BIND denied requests, LFD detects and temporarily blocks TCP port 53 for the offending IP address but leaves UDP port 53 open for the attacks to continue. This can be verified by examining the temporary block list and the active IP tables rules.
Example:
1 0 0 DROP tcp -- !lo * 192.221.138.116 0.0.0.0/0 tcp dpt:53
Eventually the IP reaches the LF_PERMBLOCK_COUNT and all traffic is dropped for the offending IP, but this should have been done sooner using temporary blocks.
Per specs, DNS uses both TCP and UDP port 53 to respond to queries.
From all of my testing this appears to be a bug and I am unable to find a way to configure LFD to block UDP port 53 as well for DNS so I am reporting this as such.
LF_BIND not blocking DNS UDP 53 traffic
-
- Junior Member
- Posts: 2
- Joined: 14 Oct 2014, 20:05
-
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: LF_BIND not blocking DNS UDP 53 traffic
We'll implement a fix for this in the next release. The only way around the problem until then would be to disable per port blocking (LF_SELECT).
-
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: LF_BIND not blocking DNS UDP 53 traffic
This should now be addressed in csf v7.55:
http://blog.configserver.com/
http://blog.configserver.com/