As you may be aware, I run my own DNS resolver(s), and I am constantly plagued by some German governmental body waffling on about DNS Amplification Attacks.After a bit of toking and fro-ing, I decided to investigate further. The official answer is ‘don’t run a public resolver’, however, the following IPTables snippet will prevent people from hammering the DNS by causing packets to be rejected. The numbers may need to be fiddled around with, but it seems to work, and with the added logging, PSAD can then pick up the offenders and go down the ban hammer route.
iptables -N DNSDROP
iptables -A DNSDROP -m limit --limit 2/min -j LOG --log-prefix "DNS-Dropped: " --log-level 4
iptables -A DNSDROP -j DROP
iptables -A INPUT -p udp --dport 53 -m recent --set --name dnsdos
iptables -A INPUT -p udp --dport 53 -m recent --rcheck --seconds 1 --name dnsdos --hitcount 5 -j DNSDROP