• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Safe DNS Project

Status
Not open for further replies.

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
Hey everyone! I am running a usability experiment to see how naive it might be to provide everyday users the ability to browse the internet in a safer manner.

To accomplish this I am running a public DNS server that is running Pi-Hole with extended definitions.

This experiment ties in directly with the guide im currently writing here:

https://www.techpowerup.com/forums/threads/guide-global-network-dns-blacklisting-pi-hole.233545/

To do this, I am hosting a small virtual server on Digital Ocean. I am using my own funds to give it a shot.

The Pi-Hole software is free and currently we are here with functionality.



I run some extra definition lists on the PI which caches and remembers its DNS requests, whenever the PI doesnt know something I take this a step further and the forward addresses point to OpenDNS family safe servers. Which according to openDNS block the following:

What does FamilyShield Block?

The service blocks pornographic content, including our “Pornography,” “Tasteless,” and “Sexuality” categories, in addition to proxies and anonymizers (which can render filtering useless). It also blocks phishing and some malware.
The goal of this is simple.

  • Can I or another organization or entity use free products to provide a safer internet to users without charging them a ludicrous amount of money?
  • How effective is it?
  • Can it be done at a low or no cost?
To answer these questions I would like to invite feedback on the project if you decide to join. I am looking for the following.

  • Response time ok
  • false positives
  • does this inhibit your browsing habits within reason?
Here are some examples of what this blocks.

  • Telemetry
  • malware domains
  • ad domains
  • pornographic and other none PG domains
DNS in itself isnt a perfect system, but I would REALLY like to understand how feasible a project like this could be. If you would like to join the DNS server IP in question is this.

45.55.35.57

(I currently only route IPV4)
I DO NOT keep any private or identifying information.
 
Last edited:

Kursah

Super Moderator
Staff member
Joined
Oct 15, 2006
Messages
13,177 (2.61/day)
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 - Ryzen+ Edition | SpartanCore | SpartanCore2
Processor R7 2700X @ Stock (3.7/4.35) w/PBO+XFR2 | i7 3770 3.4/3.9 Stock | i7 4770 3.4/3.9 Stock
Motherboard Asus ROG Strix X370-F Gaming | Intel DQ77MK | SuperMicro X10SLQ
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Intel Cooler + AC MX4 | Stock Intel Cooler + AC MX4
Memory 16GB (2x8) G.Skill DDR4-3200 | 16GB (4x4) Samsung DDR3-1600 | 32GB (4x8) Mushkin Stealth DDR3-1600
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4000 | Onboard Intel HD 4600
Storage SSD 250GB + 960GB, 1x2TB | 120GB SSD, RAID10 6x2TB (6TB) | 120GB SSD, RAID10 6x3TB (9TB)
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" Dell on KVM..mostly headless operation.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans | Modified Lenovo TS430 Case
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Not in use
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | EVGA KR500 80+ Bronze (Both) + APC Smart-UPS 1500
Mouse Logitech G502 | Dell USB Laser Mouse (KVM)
Keyboard Logitech G15 rv2 | Dell USB Keyboard (KVM)
Software Windows 10 Pro x64 | Windows Server 2012 R2 (Hyper-V) | Windows Server 2016 (Hyper-V)
I'll have to check it out. Thanks for taking the effort to do this. DNS hosting can get complex and I'm curious to see how well your VM holds up. I think forwarding non-authoritative queries to OpenDNS is also a solid move...that's what I've been using as my home site's DNS for years now.

Solaris DNS Security Services. Kinda has a good ring to it. :toast:
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
I'll have to check it out. Thanks for taking the effort to do this. DNS hosting can get complex and I'm curious to see how well your VM holds up. I think forwarding non-authoritative queries to OpenDNS is also a solid move...that's what I've been using as my home site's DNS for years now.

Solaris DNS Security Services. Kinda has a good ring to it. :toast:
Thanks! Its's definitely going to be a technical challenge for certain. I stand to learn alot myself I think from this exercise.
 

Kursah

Super Moderator
Staff member
Joined
Oct 15, 2006
Messages
13,177 (2.61/day)
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 - Ryzen+ Edition | SpartanCore | SpartanCore2
Processor R7 2700X @ Stock (3.7/4.35) w/PBO+XFR2 | i7 3770 3.4/3.9 Stock | i7 4770 3.4/3.9 Stock
Motherboard Asus ROG Strix X370-F Gaming | Intel DQ77MK | SuperMicro X10SLQ
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Intel Cooler + AC MX4 | Stock Intel Cooler + AC MX4
Memory 16GB (2x8) G.Skill DDR4-3200 | 16GB (4x4) Samsung DDR3-1600 | 32GB (4x8) Mushkin Stealth DDR3-1600
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4000 | Onboard Intel HD 4600
Storage SSD 250GB + 960GB, 1x2TB | 120GB SSD, RAID10 6x2TB (6TB) | 120GB SSD, RAID10 6x3TB (9TB)
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" Dell on KVM..mostly headless operation.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans | Modified Lenovo TS430 Case
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Not in use
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | EVGA KR500 80+ Bronze (Both) + APC Smart-UPS 1500
Mouse Logitech G502 | Dell USB Laser Mouse (KVM)
Keyboard Logitech G15 rv2 | Dell USB Keyboard (KVM)
Software Windows 10 Pro x64 | Windows Server 2012 R2 (Hyper-V) | Windows Server 2016 (Hyper-V)
I look forward to reading up on your results as well, hopefully this'll be a good lesson in experience and practice. And who knows, you could be the next authoritative DNS filtering service out there if you really get into it. :)
 
Joined
Aug 3, 2016
Messages
77 (0.05/day)
System Name Intel 2nd Build
Processor Intel Core i5-6600K @3.5GHz
Motherboard Gigabyte GA-z170x-UD5 (rev 1.0)
Memory GSkill Ripjaws V (2x8GB)
Video Card(s) MSI GeForce GTX 1080 Gaming 8G 8GB
Storage SSD (250GB) + SSD (500GB) + HDD (1TB)
Case Phanteks Enthoo Pro PH-ES614P
Power Supply EVGA SuperNova 750W 80+ Gold
Software Windows 10 64Bit
Pi-Hole claims to block ads in phone apps as well :eek:
Hmm.. but I do like porn
How can anyone make these kinds of decisions with confidence.

I took a look at your other thread, is it finished? It seems to end abruptly.
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
This experiment ties in directly with the guide im currently writing here:
Pi-Hole claims to block ads in phone apps as well :eek:
Hmm.. but I do like porn
How can anyone make these kinds of decisions with confidence.

I took a look at your other thread, is it finished? It seems to end abruptly.
Not yet soon! Lots of data to cover.

How can anyone make these kinds of decisions with confidence.
how do you mean?
 
Last edited:
Joined
Jul 16, 2014
Messages
3,729 (1.68/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Will this be for a browser add-on or standalone?
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
Will this be for a browser add-on or standalone?
This is just a DNS server. This is not like extensions and add-ons I will be going more into this in the guide im writing. They function in the same basic way, but add-ons can sometimes modify webpages so you cant "see" where an add would be. DNS servers cannot do this.
 
Joined
Jul 16, 2014
Messages
3,729 (1.68/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
This is just a DNS server. This is not like extensions and add-ons I will be going more into this in the guide im writing. They function in the same basic way, but add-ons can sometimes modify webpages so you cant "see" where an add would be. DNS servers cannot do this.
OK so how about using this project so we can add it here instead:

 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
Joined
Oct 17, 2012
Messages
9,228 (3.23/day)
Location
Massachusetts
System Name Americas cure is the death of Social Justice & Political Correctness
Processor i5 8600k
Motherboard Asrock Z370 Extreme 4
Cooling Corsair H-110i GTX
Memory 2x 4Gb Crucial Sport LT
Video Card(s) MSI GTX 980 Gaming
Storage Samsung 850 evo 250Gb
Display(s) Dell Ultra Sharp Widescreen 24" 1200P
Case Fractal Design Meshify-C
Power Supply Seasonic Focus+ 750 Gold
Mouse Logitech G502 spectrum
Keyboard AZIO MGK-1 RGB (Kaith Blue)
Software Win 10 Professional 64 bit

Kursah

Super Moderator
Staff member
Joined
Oct 15, 2006
Messages
13,177 (2.61/day)
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 - Ryzen+ Edition | SpartanCore | SpartanCore2
Processor R7 2700X @ Stock (3.7/4.35) w/PBO+XFR2 | i7 3770 3.4/3.9 Stock | i7 4770 3.4/3.9 Stock
Motherboard Asus ROG Strix X370-F Gaming | Intel DQ77MK | SuperMicro X10SLQ
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Intel Cooler + AC MX4 | Stock Intel Cooler + AC MX4
Memory 16GB (2x8) G.Skill DDR4-3200 | 16GB (4x4) Samsung DDR3-1600 | 32GB (4x8) Mushkin Stealth DDR3-1600
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4000 | Onboard Intel HD 4600
Storage SSD 250GB + 960GB, 1x2TB | 120GB SSD, RAID10 6x2TB (6TB) | 120GB SSD, RAID10 6x3TB (9TB)
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" Dell on KVM..mostly headless operation.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans | Modified Lenovo TS430 Case
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Not in use
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | EVGA KR500 80+ Bronze (Both) + APC Smart-UPS 1500
Mouse Logitech G502 | Dell USB Laser Mouse (KVM)
Keyboard Logitech G15 rv2 | Dell USB Keyboard (KVM)
Software Windows 10 Pro x64 | Windows Server 2012 R2 (Hyper-V) | Windows Server 2016 (Hyper-V)
You could add it to your NIC in Windows, to your Router's DNS, to your DHCP server (server or router) to hand out to devices.

What I would recommend is using OpenDNS or GoogleDNS as a secondary DNS server just to make sure DNS is resolving should a failure or outage from adjustment occur. I imagine Sol will do his best to maintain maximum uptime though.

For those not entirely familiar with what DNS is, check out the video below.


Simply put, DNS is the yellow pages of the Internet, it takes an IP address, puts an A-Record on it (www.google.com) and when you type that in your browser, you see Google.com, but you're taken to the IP address that is resolved from the DNS server you got the information from. There's A LOT more depth to it, but on the face if it, not all that complex with the simple execution of DNS.

So when you use a service like Solaris DNS or OpenDNS, you're getting DNS services just like your ISP provides, or Google, or even your router/server for your LAN. But the exception here, is filtered DNS services block entries and requests that are known to be bad, malicious or containing certain content that has been chosen to be filtered, instead, redirecting you to a page that explains the situation of that site not being permitted to be accessed. This can be huge for home and business security and is a great mitigation to localized security deployments and web filters.

DNS won't block everything and isn't actively modifying itself, it is very much managed in record keeping, like a rolodex or directory. Every address has a record that tells a computer where that address is supposed to point. So if someone wants to make Warez.com to go a DNS Site Blocked page instead of its actual page, they simply update the record. If you're using their DNS server, you get the blocked page. If you use ISP DNS services, you can get to that page properly and potentially infect your PC or worse.

DNS management can be a lot of busy work depending on how it is managed, and it should be busy work if properly managed because there's too much happening and changing to have nothing to do IMHO. So Sol could be quite busy with this, I'll have to look further into his deployment methods and see how he is managing DNS records and updates. Regardless, we need more services like this out there and I appreciate a fellow TPU-er testing and offering such a service for all of us to test and use.

I'm sure Sol can do a better job of explaining this project a nutshell, I just felt inclined to donate my 2 cents to make sure folks have an opportunity to better understand what the point is here. :)
 
Joined
Oct 17, 2012
Messages
9,228 (3.23/day)
Location
Massachusetts
System Name Americas cure is the death of Social Justice & Political Correctness
Processor i5 8600k
Motherboard Asrock Z370 Extreme 4
Cooling Corsair H-110i GTX
Memory 2x 4Gb Crucial Sport LT
Video Card(s) MSI GTX 980 Gaming
Storage Samsung 850 evo 250Gb
Display(s) Dell Ultra Sharp Widescreen 24" 1200P
Case Fractal Design Meshify-C
Power Supply Seasonic Focus+ 750 Gold
Mouse Logitech G502 spectrum
Keyboard AZIO MGK-1 RGB (Kaith Blue)
Software Win 10 Professional 64 bit
What I would recommend is using OpenDNS or GoogleDNS as a secondary DNS
yeah i use that currently, but i was thinking that solaris was looking for "testers" & id gladly lend a hand to that end if it is what was being asked:toast:
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
So this would just be added to my DNS list in my Asus router firmware? Then id be using your server?
Yup thats it! or you can do so in windows by going to your network settings. Remember this is an experiment! If you run into any odd issues let me know!

I imagine Sol will do his best to maintain maximum uptime though.
You bet but better safe than sorry of course!
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro


So far going well. Performance is great and the box isnt loaded at all. She does in between 50-60k DNS requests a day with the people onboard.

Notable mentions. A few servers are running it in a business setting. Its going well.

Other mentions. Shame on MS. some of the telemetry domains tie in with things like Windows updates. Dont want pop-up ads in apps? no problem. but you also cant have updates.
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
Fighting my first DDoS DNS amplification attack.

In the wee hours of the morning last night I was logging into my sister server that I also run the same project on. This server specifically is more than just a few numbers. This one has an actual domain name attached to it.

Upon logging in I discovered this.


Excited it was getting some use I glanced over at the users. Several domains and IPs were showing up. However something caught me off guard. The queries blocked had not changed much which is odd of DNS queries of this magnitude. The graph also took a different turn skyrocketing in what appeared to be minutes.

I decided to dig in to the query logs and found that these "users" were making thousands of queries a min to a domain called leth.cc. After a quick visit it appeared to be innocent enough, however it also didn't seem popular enough to warrant the connections.

I decided to take a further look and ran a search on the domain. someone else had also noted that they were getting thousands of DNS queries to the same domain. My first thought was that this might be some kind of gaming network. Possibly some kind of multiplayer card game or something. This still struck me as odd since they would certainly have there own infrastructure and would not rely on 3rd party DNS server like my own to support them. Looking into them further revealed they were nothing of the sort.

At this point I was looking at numbers around 1million. Then something occurred to me. This wasn't an oddity or a lucky send off for what could be a successful DNS service built from my desk. This was a reflection attack and I was sending thousands of unsolicited DNS queries to some random website.

Having already been in the middle of my company's maintenance window and working on company infrastructure on top of being exhausted I decided to do the only thing I had the energy left to do. I blocked the URL preventing the requests from reaching the host. While I was probably one one of hundreds or thousands of open DNS servers targeting this poor companies website I certainly wasn't going to let that statistic continue. My server wasn't breathing too heavy even with these numbers and legit queries weren't slowed, I black listed the site and started off to bed. My ending numbers looked like this.



In the morning the company is open for a few hours so I have a small window in which I don't need to worry about my infrastructure. I decided to take a look at DNS server to see what the damage was.

I don't have pictures but the attack had continued over night. from around 1:30AM EST to 8:30AM EST I had generated more than 5.3 million blocked queries 99% of them being this one domain.

By this time things had started to get bad. The system was still very much responsive but disk I/O was high causing all lookups to take an abnormally long time. almost a full second. This meant the browsing experience was slow since the cached lookups were having a hard time responding. The amount of queries coming in per second was causing expiration times to not matter. They were being added faster than they were being purged.

At tis point in time I had a choice. My upstream provider had not caught this and as such was not being filtered. I had blocked forwards to that specific domain so I was no longer contributing to whatever attack they may be under. However my own services were starting to suffer because of the attack.

A few things sprung to mind. This isn't MY particular area of security and as such I'm pretty inexperienced in the more advanced protections for DNS. Specifically provider level. The things that came to mind were:

  • Disable IPV6 traversing on this server since thousands of requests were coming from IPV6 clients.
  • Limit my EDNS packets to 512bytes (They normally carry LARGE data sets)
  • Limit my query times per requestor
  • Block ANY requests via DNS
  • IDS/IPS blacklist hosts
All of this would help mitigate the issue however some of it was too deep for me to jump into right away given this service is currently providing for a few key test clients.

To temporarily fix this I had to change its nature from a free/open DNS service to a private service.

To do this I had to deny all port 53 (DNS) access on my firewall and instead get the specific IPs (thankfully static) of my clients and whitelist those as being able TO access port 53.

This worked immediately and queries dropped. However I now need to go into how to properly secure the server from being abused since I already make sure the clients are safe.

The internet is a scary place when you look at the logs. MAybe it was providing a domain name to the server itself that made it so easily found by bots?

THIS DID NOT AFFECT THE SERVER DISPLAYED ABOVE
 
Joined
Jul 16, 2014
Messages
3,729 (1.68/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
A few things sprung to mind. This isn't MY particular area of security and as such I'm pretty inexperienced in the more advanced protections for DNS. Specifically provider level. The things that came to mind were:

  • Disable IPV6 traversing on this server since thousands of requests were coming from IPV6 clients.
  • Limit my EDNS packets to 512bytes (They normally carry LARGE data sets)
  • Limit my query times per requestor
  • Block ANY requests via DNS
  • IDS/IPS blacklist hosts
AFAIK, which really aint much here, if you can block duplicate, before the "ANY", requests per [*insert* time frame] that may help reduce a few numbers without being too limiting. If you can trace the source of requests, I dont why you cant add specific IPs to your blacklisting, even if temporary.
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
21,706 (3.96/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
Its been a few months and I got some of the data I need. For now I am going to shut this project down. Thanks to all who participated!
 
Status
Not open for further replies.
Top