0

Weird DDOS against my nextdns backed resolver ... help me understand ...

I run my own resolver with 'unbound' on a server I own.

The upstream resolver for *my* resolver is my nextdns account.

So, instead of querying my nextdns account/address, I query my own DNS server, which gets resolution from nextdns.

This works great and I'm happy.

However, I have no access controls on it of any kind - if you guess the IP of my unbound server you can query it for lookups.

This was never a problem until ...

Suddenly I am getting *HAMMERED* by 10+ lookups per second from IPs in Brazil.

The weird thing is, they just look up garbage and repeat it over and over. For instance, right now they are querying '.tv' ... not example.tv or host.example.tv, but just the 'tv' TLD ... over and over and over:

Nov 29 21:51:38 unbound[12005:0] info: 131.100.217.145 tv. ANY IN

... and on other days, they are either querying 'cisco.com' or 'atlassian.com' ... over and over and over, 10x or more per SECOND.

This is really odd behavior ...

IF someone was using my DNS server for their own resolution, we'd see a variety of traffic from their own queries or the queries of their entire network.

OR if someone was generating legitimate lookup traffic they wouldn't just requery the same address 10x per second for days and days at a time ...

OR if someone was trying to DDOS my little DNS server and they have all of these brazilian IPs to do it with, they could just flood me with MUCH more traffic than this.

So my only guess is:

This is a DDOS and it is a DDOS against nextdns ... somebody found resolvers that have paid access to nextdns and they are using those to flood nextdns with junk queries ...

Some more info:

All of this traffic comes from what appear to be DHCP assigned residential IP users:

# host 189.127.134.10
10.134.127.189.in-addr.arpa domain name pointer dynamic-189-127-134-10.jsvtelecom.net.br.

Further, if I block an entire /16 or even /8 it pauses for a few minutes ... and then just starts back up on another netblock.

At one point I blocked 20+ /16 netblocks and the traffic still kept coming in on new netblocks.

Again, this is very odd - these are *thousands* of IP addresses that are locked and loaded to flood my silly little nameserver with useless DNS queries, day after day, for no reason that I can discern.

Any idea what this is ?

Do I misunderstand what I am seeing here ?

Thanks.

5 replies

null
    • bford
    • 1 yr ago
    • Reported - view

    One other detail ...

    Whoever is issuing these queries does NOT CARE if they even get a response.

    For instance, I saw them doing a lookup for cloudflare.com 10-20 times per second so I null'd that out in my unbound config:

     

    local-zone: "cloudflare.com" always_nxdomain

     

    ... and they don't care - they just keep querying over and over - even days later.

     

    Again, very strange - just hammering my little DNS server, not caring whether they get a response or not, but quickly changing source IP ranges on the fly as I block them out ...

    • Martheen
    • 1 yr ago
    • Reported - view

    That's not DDoS against NextDNS, they simply have thousands of other open resolvers to flood their target. DNS amplification attacks rely on very small queries but much larger responses, which is what ANY does (this is also why some resolvers, including Cloudflare, outright ignore ANY)

    UDP also doesn't actually show the origin of the traffic, merely the supposed reply-to address, so what you're seeing isn't the perpetrator IP, but the victim IP.

    Check your VPS provider policy on hosting resolver, most of them don't like people hosting open resolver because of these kinds of abuse. If possible use DoH/DoT/DoQ instead with AdGuard Home set to use your NextDNS upstream (though if you can do this you're probably better off just calling NextDNS directly from your devices)

      • bford
      • 1 yr ago
      • Reported - view

      Thank you very much - appreciated.

      So what I am seeing in my logs and traffic is a standard DNS amplification attack ?

      I understand that running an open resolver might be problematic.

      One way to solve this problem is to close my resolver down and lock it to just my own IPs.

      However, can I also ignore the 'ANY' queries, like you describe that cloudflare does, and leave it open to the public ?  Would that mitigate most (all ?) of these attacks ?

      Further, would I notice, or be annoyed by, the disabling of "ANY" responses ?

      Thanks again.

      • Martheen
      • 1 yr ago
      • Reported - view

       Yeah, filtering to your ISP subnet is a good start if you can't use DoH/DoT/DoQ on your device. Ignoring ANY request does reduce attack potential though they're not cureall, since some records are still potentially much larger than usual *and* crucial for operation (eg, TXT records). Lookup `refuse_any` option in AGH Wiki, there's no UI for it yet. Generally, you shouldn't notice anything after disabling ANY, Cloudflare is very popular and they've been disabling it since 2019, they pointed out that the volume of ANY query is very small compared to A & AAAA, and I'm not aware of any software or hardware product that advice their user to not use Cloudflare because of that behavior. 

      • bford
      • 1 yr ago
      • Reported - view

      Thank you.

      I think a good looking mitigation here is setting:

      deny-any: yes

      ... in my unbound.conf.

      In the meantime, I am trying to get a response from NextDNS support - I am a corporate paying customer ($19/mo) emailing business@nextdns.io and have resent my request twice over the past 10 days but have gotten no response. Not even a ticket system auto-reply.

      Is there some reason I would not be getting a response to the paid business@nextdns.io address ?

Content aside

  • 1 yr agoLast active
  • 5Replies
  • 250Views
  • 2 Following