Limiting/Monitoring the number of DNS queries
-
Maybe you can pick up a wifi signal and have Unbound use the wifi for connection to the root DNS servers. It would be relatively low bandwidth. Set your caching to a very large number to reduce the load. Just a random idea.
Or just let the DNS get blocked, then tell the students to complain when "the internet breaks". It's not your fault they block outside DNS access, then aggressively limit the number of queries. I don't know about your Uni, but I worked for IT at mine, and if someone made a change the interfered with the student's ability to study or do homework, that's grounds for firing.
-
This is just me, but to make the internet zoom, I'd probably run all the http traffic through squid, run a private caching DNS server and whatever else might improve network performance. With lots and lots of students online all those packages that make little or no difference to a home user might actually speed things up quite a bit for your network.
-
Hi kejianshi!
The caching DNS is a qood idea, but the problem is, we need to be rock-solid that we do not make more than a certain number of queries in a specified amount of time. Many of us here are IT students, some of then like to experiment sometime. Problem is, if we get on the main DNS of our network, and someone launches a DDOS attack, i will partially be responsible for letting it happen. I know, that this is all theory, but they asked us to limit the queries, and we will be free from this penalty DNS. After and only after that happens, I can implement all kinds of things to improve performance. Anyway, thank you for your response. So far I am able to log the number of request. Problem is, pfsense uses clog for this, and it can not be tweaked for setting file size and things like that. The command i use to count the number of requests is
grep '192.168.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,5} > 192.168.2.1.53' filter.log | sort -k6 | cut -c 1-42 | uniq -c -s 20 | sort -k1
This shows the request by IP in order.
-
If one of you has a very good and reliable internet elsewhere, like home or office or whatever, you could also make pfsense a client to a vpn there and route ONLY DNS requests to that network. Otherwise I'm coming up short of ideas how to limit DNS requests.
-
This is getting very interesting. So far, we are more likely to succeed in routing our DNS traffic through some VPN connection to somewhere, than make pfSense limit the number of queries. This is just wow :D Also, I totally agree with you Harvy66 about the mentality, but i don't know about the wifi.
-
Notice I didn't say it was impossible or that my way was the best way. But I do know 100% for sure that it works because ALL my traffic is routed through a remote server and I use that pfsense private IP for DNS. Personally I think "limiting" DNS queries at all is a terrible idea. Unless you wish to treat it as a DDOS attack? In which case I suppose you could put in a firewall rule to rate limit requests on port 53 to your pfsense? Basically, you would have to figure out what you believe is a legitimate threshold for "abuse" for DNS requests per minute or per second. Then set up a firewall rule that blocks someone making more than that number of requests per unit time. I mean that really is what we are talking about doing when you get right down to it.
-
Exactly! That is what I would like to do. Limit the number of queries in a certain time bracket. But the question is, how? :)
-
When you create an allow rule on the LAN, you can scroll down towards the bottom of the rule and click advanced.
When I do that I see that the limiting features only seem to apply to TCP only. DNS queries use UDP )-:
It seems like fate wants you to stand up a DNS server…
-
I have also checked it, and yes, it is for TCP only :( No clue why DNS uses UDP though…
-
Problem is, if we get on the main DNS of our network, and someone launches a DDOS attack, i will partially be responsible for letting it happen.
And someone launches a DDOS? That has nothing to do with DNS, other than improperly configured DNS servers and the ISP allowing forged UDP packets. Are you routing packets that aren't part of your subnet? Then fix that. No more DNS DDOS problems.
Having access to DNS is only a DDOS vector when the admins on both sides are not doing their jobs. You don't need break the Internet by rate limit DNS queries unless your DNS server is so under-powered that it can't handle a client spamming it with lookup requests. At that point, invest into a $25 Raspberry Pi for a DNS caching server.
Sorry for being so negative, but DDOS via DNS is not a complicated issue and doesn't require draconian rules. The issue isn't technical, it's political, and I hate those kinds of problems.
In other words, get the policy fixed. If possible. I know I've had to escalate issues like these in the past.
-
I do have a Raspberry Pi, but I am not going to use it for this purpose, because this is the ISP's stupid idea, and I am not going to waste my resources to fix his problems. Thing is, the DNS is not underpowered, they just simply say, here is the internet for dirt-money, but we limit you, because we can. Sadly this is what is happening. DDOS in this context is not that DDOS, I just called it like that for easy understanding. It is not happening on purpose, at least not that I know.
TL;DR The ISP gives us dirt-cheap Gigabit internet, but we get a DNS limit, because they can do it. However if we limit our number of queries to (and I quote them) a random number, they will put us on a better DNS, with only the limit we set. So that is my problem.
For them, I could be Superman and save the Earth, all they would care about at the end of the day is, if we have a limit or not. So… :)
-
Obviously, I agree with Harvy66. Plus as long as you don't make the DNS server public it should be fairly easy to mitigate a DNS amplification attack.
Or if you can just not use their DNS servers at all, you can promise them a limit of "0".I seriously doubt that the ONLY DNS server choice you have is the university. I'm pretty sure you don't want to use their DNS anyway if they are so draconian with their rules.
OpenNIC provides services that are low on peoples radar. Probably not blocked to you.
List of server IPs by country. (don't chose white listed ones unless you get on their white list - maybe a good idea)
http://wiki.opennicproject.org/Tier2
Or just click here and see which ones they recommend for you.
http://www.opennicproject.org/
These can be set as your primary DNS in pfsense. Test them. Some also answer on 5353
-
Old thread, but I have a question..
I understand that they are limiting DNS requests to their internal DNS Servers, but are they actually blocking DNS requests to the internet?
If not, pfSense has DNS caching built-in..
a. Point pfSense to external name servers (such as OpenDNS or Google's DNS) and configure pfSense to peel off the DNS queries for the University's dns suffixes and send them to their internal name server(s) using the Domain Override function.
b. Only permit tcp/udp:53 to the pfSense Firewall IPs, force everyone behind your firewall to use you for DNS.The net effect should be that a good portion of the every-day requests would simply be cached by pfSense, and you'll be limiting the number of queries headed towards the University's name server(s) by redirecting anything NOT for the University to an outside source.
…ct
-
Hi cthomas!
First of all, thank you for your constructive post. Point a is sadly not possible, because if I use any other DNS server than theirs, they simply do not forward the requests. On the other hand, I could do the caching locally, but those people out there don't care. They wouldn't even care if we cured cancer. The only thing they do care about if we can limit our maximum number of queries to a specific number under any given circumstances. They are very narrow-minded people sadly :( But thank you again. I learned many things looking for the solution and that is what counts :)
-
Well - Lets say you are using pfsense 2.2
and lets say you are using unbound
and lets say you put into forwarder mode and entered your ISP DNS Server IPs into general setup
Then lets assume unbound is caching, because it is…
Now lets assume you make it such that non of your clients can use any DNS except that provided by pfsense.Now, since pfsense is caching this will greatly reduce number of DNS requests to the ISP server because pfsense is handling all the requests after the 1st one.
If this isn't good enough, your ISP is retarded and I'm sure will be out of business in no time.
-
You are right about everything and caching will reduce the number, they want me to have a text box where i can write lets say 50, and pfSense will magically limit the number to 50 at all time. And yes, my ISP is Retarded with a capital R, but is somehow backed by the University, so he will not go out of business (politics maybe?).
-
Tell him you have figured out how to limit it to no more than 10,000,000 or some number you estimate you wont exceed.
Lie - They do it all the time.