How to add reverse DNS delegation for RIPE

Tunc Yıldırım — Wed, 18 Sep 2019 20:51:47 +0000

Let’s say we want to add reverse DNS delegation for the IP block 123.234.12.0/24

The first step of the configuration is on the nameserver, BIND on our case.

Create the relevant reverse DNS file on /var/named/rev and then edit the file:

cd /var/named/rev
touch 123.234.12
vim 123.234.12

The file contents should be like the following:

$TTL 3D
@       IN      SOA     ns1.rackdc.com. postmaster.rackdc.com. (
                        2018112201   ; Serial, todays date + todays serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                                ; Created on http://root0.net 2005-10-27
                 NS             ns1.rackdc.com.
                 NS		ns2.rackdc.com.
                 
$ORIGIN 12.234.123.in-addr.arpa.


12		PTR		rackdc.com.

After configuring this file with correct details, edit the file /etc/named.conf to include the file you’ve just created.

vim /etc/named.conf

Add the following line in the file:

zone "12.234.123.in-addr.arpa" { notify yes; type master; file "/var/named/rev/123.234.12";allow-query { any; };};

Finally, restart the DNS service.

service named restart

It is important to complete this step before creating an object in RIPE.

The post How to add reverse DNS delegation for RIPE appeared first on VeriTeknik.

Snort rules for isc.org and ripe.net DNS Amplification Attacks

ckaraca — Sat, 16 Mar 2013 21:25:55 +0000

Everything started with a few queries of isc.org thrugh open DNS servers located at our data center. Searching through the net we found that we are not the victims but a part of uncomprimised sources of a huge DDoS attack. A 60 byte query will turn into 50 times larger data directed to victims IP addresses. Even we were not the victims, the attacks became threading our connection if you think of hundreds of servers each of them pushing 10 Mbits to the Net. We needed a solution to stop those attacks.

Finally we have found a solution to stop DNS Amplification Attacks using pfsense with snort.

The below codes are extracted from raw IP data, as a sample, you may check what we had done for ripe.net query:

0x0000: 4500 0042 6142 4000 7911 e7c3 9a23 a00b E..BaB@.y....#..
0x0010: 5e67 200f 0035 0035 002e 0000 03b8 0100 ^g...5.5........
0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
0x0040: 0000 ..

Use the code below to stop DNS Amplification attacks, you can paste the code to snort interface Advanced configuration pass through section:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS ripe.net UDP"; content:"|01 04 72 69 70 65 03 6e 65 74 00|";classtype:attempted-dos;sid:4000003;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org UDP"; content:"|01 03 69 73 63 03 6f 72 67|";classtype:attempted-dos;sid:4000003;)

The code is tested to have minimal overhead.

Please post your comment if you need additional DNS Amplification Attack rules.

The post Snort rules for isc.org and ripe.net DNS Amplification Attacks appeared first on VeriTeknik.

ripe – VeriTeknik

How to add reverse DNS delegation for RIPE

Snort rules for isc.org and ripe.net DNS Amplification Attacks