Weird DDOS against my nextdns backed resolver ... help me understand ...
I run my own resolver with 'unbound' on a server I own.
The upstream resolver for *my* resolver is my nextdns account.
So, instead of querying my nextdns account/address, I query my own DNS server, which gets resolution from nextdns.
This works great and I'm happy.
However, I have no access controls on it of any kind - if you guess the IP of my unbound server you can query it for lookups.
This was never a problem until ...
Suddenly I am getting *HAMMERED* by 10+ lookups per second from IPs in Brazil.
The weird thing is, they just look up garbage and repeat it over and over. For instance, right now they are querying '.tv' ... not example.tv or host.example.tv, but just the 'tv' TLD ... over and over and over:
Nov 29 21:51:38 unbound[12005:0] info: 131.100.217.145 tv. ANY IN
... and on other days, they are either querying 'cisco.com' or 'atlassian.com' ... over and over and over, 10x or more per SECOND.
This is really odd behavior ...
IF someone was using my DNS server for their own resolution, we'd see a variety of traffic from their own queries or the queries of their entire network.
OR if someone was generating legitimate lookup traffic they wouldn't just requery the same address 10x per second for days and days at a time ...
OR if someone was trying to DDOS my little DNS server and they have all of these brazilian IPs to do it with, they could just flood me with MUCH more traffic than this.
So my only guess is:
This is a DDOS and it is a DDOS against nextdns ... somebody found resolvers that have paid access to nextdns and they are using those to flood nextdns with junk queries ...
Some more info:
All of this traffic comes from what appear to be DHCP assigned residential IP users:
# host 189.127.134.10
10.134.127.189.in-addr.arpa domain name pointer dynamic-189-127-134-10.jsvtelecom.net.br.
Further, if I block an entire /16 or even /8 it pauses for a few minutes ... and then just starts back up on another netblock.
At one point I blocked 20+ /16 netblocks and the traffic still kept coming in on new netblocks.
Again, this is very odd - these are *thousands* of IP addresses that are locked and loaded to flood my silly little nameserver with useless DNS queries, day after day, for no reason that I can discern.
Any idea what this is ?
Do I misunderstand what I am seeing here ?
Thanks.
5 replies
-
One other detail ...
Whoever is issuing these queries does NOT CARE if they even get a response.
For instance, I saw them doing a lookup for cloudflare.com 10-20 times per second so I null'd that out in my unbound config:
local-zone: "cloudflare.com" always_nxdomain
... and they don't care - they just keep querying over and over - even days later.
Again, very strange - just hammering my little DNS server, not caring whether they get a response or not, but quickly changing source IP ranges on the fly as I block them out ...
-
That's not DDoS against NextDNS, they simply have thousands of other open resolvers to flood their target. DNS amplification attacks rely on very small queries but much larger responses, which is what ANY does (this is also why some resolvers, including Cloudflare, outright ignore ANY)
UDP also doesn't actually show the origin of the traffic, merely the supposed reply-to address, so what you're seeing isn't the perpetrator IP, but the victim IP.
Check your VPS provider policy on hosting resolver, most of them don't like people hosting open resolver because of these kinds of abuse. If possible use DoH/DoT/DoQ instead with AdGuard Home set to use your NextDNS upstream (though if you can do this you're probably better off just calling NextDNS directly from your devices)
Content aside
- 11 mths agoLast active
- 5Replies
- 235Views
-
2
Following