While DNS primarily operates over UDP port 53, allowing unrestricted inbound traffic to this port creates significant attack vectors. Universities typically implement strict firewall rules that only permit DNS traffic originating from or destined to their authorized DNS servers (both recursive and authoritative).
Unfiltered inbound UDP/53 traffic enables several malicious activities:
# Example DNS amplification attack vector
import socket
def create_dns_query(target_ip):
dns_query = bytearray([
0x00, 0x00, # Transaction ID
0x01, 0x00, # Flags: Standard query
0x00, 0x01, # Questions: 1
0x00, 0x00, # Answer RRs: 0
0x00, 0x00, # Authority RRs: 0
0x00, 0x00 # Additional RRs: 0
])
# Add encoded domain (e.g. "example.com")
dns_query.extend(bytes([0x07]) + b"example" + bytes([0x03]) + b"com" + bytes([0x00]))
# Type A (0x0001), Class IN (0x0001)
dns_query.extend(bytes([0x00, 0x01, 0x00, 0x01]))
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(bytes(dns_query), (target_ip, 53))
DNS Amplification Attacks: Attackers spoof the source IP to appear as the victim, sending small queries that generate large responses from open resolvers.
DNS Cache Poisoning: Malicious actors can inject false records into caching resolvers.
Information Leakage: Internal network details can be exposed through zone transfers or recursive queries.
For iptables, the rules would look like:
# Allow outbound DNS from local DNS servers
iptables -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound to authorized DNS servers only
iptables -A INPUT -p udp --dport 53 -s {trusted_upstream_ips} -d {local_dns_ip} -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j DROP
# Rate limiting for legitimate traffic
iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit-name dns --hashlimit-mode srcip --hashlimit-upto 10/minute --hashlimit-burst 5 -j ACCEPT
Implement DNS Response Rate Limiting (RRL) on authoritative servers:
# BIND9 RRL configuration example
options {
rate-limit {
responses-per-second 5;
window 15;
};
};
For recursive resolvers, disable recursion for external clients:
# Unbound configuration snippet
server:
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
DNS primarily uses UDP port 53 for queries and responses due to its low overhead. A typical DNS query looks like:
// Sample DNS query in Python
import socket
def dns_query(domain, dns_server="8.8.8.8"):
query = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
query.sendto(b"\xAA\xAA\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" +
domain.encode() + b"\x00\x00\x01\x00\x01",
(dns_server, 53))
response = query.recv(1024)
return response
Universities typically implement strict inbound UDP/53 filtering because:
1. DNS Amplification Attacks: Open resolvers can be abused in DDoS attacks. Attackers spoof the victim's IP and send small queries that generate large responses:
// Example of amplification potential
dig ANY isc.org @open.resolver.edu +notcp
;; MSG SIZE rcvd: 3000 // Small query generates 30x response
2. Cache Poisoning: Unrestricted queries allow attackers to inject malicious records through transaction ID prediction.
3. Information Leakage: Internal network structures can be revealed through zone transfers.
For university-operated DNS servers, these iptables rules demonstrate proper filtering:
# Allow internal clients
iptables -A INPUT -p udp --dport 53 -s 10.0.0.0/8 -j ACCEPT
# Allow authorized external secondaries
iptables -A INPUT -p udp --dport 53 -s 192.0.2.1 -j ACCEPT
# Block all other UDP/53
iptables -A INPUT -p udp --dport 53 -j DROP
For authoritative servers, DNSSEC should be implemented to prevent cache poisoning:
// BIND9 configuration snippet
options {
dnssec-enable yes;
dnssec-validation auto;
allow-query { trusted-nets; };
allow-recursion { none; }; // For authoritative servers
};
Universities should implement monitoring for abnormal DNS traffic patterns:
# Rate limiting with iptables
iptables -A INPUT -p udp --dport 53 -m limit --limit 5/second --limit-burst 10 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j DROP